Constant Contact Forms File Disclosure Scanner
This scanner detects the use of Constant Contact Forms WordPress Plugin Vulnerability in digital assets.
Short Info
Level
Low
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
11 days 6 hours
Scan only one
URL
Toolbox
-
The Constant Contact Forms WordPress Plugin is widely utilized by website administrators and developers to enable seamless integration with Constant Contact email marketing services. This plugin allows users to easily create and manage contact forms on WordPress sites, making it a popular choice for businesses looking to expand their marketing reach. Its functionality extends to various form building, management, and integration options, which are essential for collecting customer information. Being open-source, it is accessible to a large community, which aides in its rapid adoption. However, due to its usage in handling sensitive data, maintaining its security is crucial. Regular updates and monitoring are essential for safeguarding against vulnerabilities.
The detected vulnerability involves exposure due to the improper handling of sensitive files. This exposure occurs when internal files, such as get_access_token.json in the plugin, are accessible without proper authentication. Such vulnerabilities can lead to unauthorized access to sensitive information, potentially compromising user data and system integrity. It is categorized under security issues as it allows unauthorized information disclosure.
Technically, the vulnerability is manifested through the accessible endpoint /wp-content/plugins/constant-contact-forms/vendor/constantcontact/constantcontact/test/Json/Auth/get_access_token.json. The endpoint contains sensitive information if not properly secured. The terms "access_token" and "token_type" within the file indicate that sensitive authorization tokens may be exposed. The status 200 OK response without access controls confirms the presence of the flaw, allowing any unauthenticated request to retrieve the file.
Exploiting this vulnerability could lead to significant impacts such as unauthorized actions performed using the exposed token. It may allow an attacker to impersonate users or access restricted resources. Moreover, once the vulnerability is actively exploited, it can lead to data breaches, potential data manipulation, and financial and reputational damage to the affected entities. Therefore, immediate remediation measures are necessary to protect against these risks.
REFERENCES