A Capture Contact Form (and tab) - Insecure deserialization
Summary
| Name | A Capture Contact Form (and tab) by AWebVoice.com trun - Insecure deserialization |
| Code name | skims-0001 |
| Product | A Capture Contact Form (and tab) by AWebVoice.com |
| Affected versions | Version trun |
| State | Private |
| Release date | 2025-03-14 |
Vulnerability
| Kind | Insecure deserialization |
| Rule | Insecure deserialization |
| Remote | No |
| CVSSv4 Vector | CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U |
| CVSSv4 Base Score | 1.7 (Low) |
| Exploit available | No |
| CVE ID(s) | CVE-2025-31287 |
Description
A Capture Contact Form (and tab) by AWebVoice.com trun was found to be vulnerable. Unvalidated user input is used directly in an unserialize function in myapp/awebvoicebuttonform.php.
Vulnerability
Skims by Fluid Attacks discovered a Insecure deserialization in A Capture Contact Form (and tab) by AWebVoice.com trun. The following is the output of the tool:
Skims output
56 | function awebvoice_setup() {
57 | $awebvoice_data = unserialize(get_option(""awebvoice_data""));
58 |
59 | if ($_POST) {
> 60 | $awebvoice_data = unserialize(stripslashes($_POST[""awebvoice_data""]));
61 | $awebvoice_action = $awebvoice_data[""action""];
62 | unset($awebvoice_data[""action""]);
63 |
64 | if ($awebvoice_action == ""save_account"") { // save initial email and set up contact page
65 | $old_data = unserialize(get_option('awebvoice_data'));
66 | if ($old_data[""wp_page_id""]) wp_delete_post($old_data[""wp_page_id""]);
67 | if ($awebvoice_data[""publish_page""] == ""true"") {
68 | if (!get_post($awebvoice_data[""wp_page_id""])) {
69 | $awebvoice_page_id = wp_insert_post(array(
70 | 'post_status' => 'publish',
71 | 'post_type' => 'page',
72 | 'post_name' => $awebvoice_data[""button""][""label""],
73 | 'post_title' => $awebvoice_data[""button""][""label""],
74 | 'comment_status' => 'closed',
75 | 'post_content' => '<iframe src=""'.$awebvoice_data[""embed_src""].'"" frameborder=""0"" scrolling=""no"" allowtransparency=
76 | ));
77 | $awebvoice_data[""wp_page_id""] = $awebvoice_page_id;
78 | }
79 | }
80 | update_option(""awebvoice_data"", serialize($awebvoice_data));
81 | }
82 | elseif ($awebvoice_action == ""save_settings"") { // save just configuration settings
83 | if (get_option('awebvoice_data')) {
84 | $awebvoice_data = array_merge(unserialize(get_option('awebvoice_data')), $awebvoice_data);
85 | }
86 |
87 | if ($awebvoice_data[""publish_page""] == ""true"") {
88 | if (!get_post($awebvoice_data[""wp_page_id""])) {
89 | $awebvoice_page_id = wp_insert_post(array(
90 | 'post_status' => 'publish',
91 | 'post_type' => 'page',
92 | 'post_name' => $awebvoice_data[""button""][""label""],
93 | 'post_title' => $awebvoice_data[""button""][""label""],
94 | 'comment_status' => 'closed',
95 | 'post_content' => '<iframe src=""'.$awebvoice_data[""embed_src""].'"" frameborder=""0"" scrolling=""no"" allowtransparency=
96 | ));
97 | $awebvoice_data[""wp_page_id""] = $awebvoice_page_id;
98 | } else {
99 | $awebvoice_page_id = wp_update_post(array(
100 | 'ID' => $awebvoice_data[""wp_page_id""],
101 | 'post_status' => 'publish',
102 | 'post_type' => 'page',
103 | 'post_name' => $awebvoice_data[""button""][""label""],
104 | 'post_title' => $awebvoice_data[""button""][""label""],
105 | 'comment_status' => 'closed',
106 | 'post_content' => '<iframe src=""'.$awebvoice_data[""embed_src""].'"" frameborder=""0"" scrolling=""no"" allowtransparency=
107 | ));
108 | $awebvoice_data[""wp_page_id""] = $awebvoice_page_id;
109 | }
110 | } else {
111 | wp_delete_post($awebvoice_data[""wp_page_id""]);
112 | unset($awebvoice_data[""wp_page_id""]);
113 | }
114 | update_option(""awebvoice_data"", serialize($awebvoice_data));
115 | }
116 | }
117 | ?>
118 | <script type=""text/javascript"" src=""http://www.awebvoice.com/jscripts/jquery.ba-postmessage.js""></script>
119 | <script type=""text/javascript"">
120 |
121 | jQuery(function(){
122 | jQuery.receiveMessage(
123 | function(e){
124 | jQuery('#awebvoice_data').val(e.data);
125 | jQuery(""#awebvoice_form"").submit();
126 | },
127 | 'http://www.awebvoice.com'
128 | );
129 |
130 | });
131 |
132 | </script>
133 |
134 |
135 | <form method=""post"" id=""awebvoice_form"" action="""">
136 | <input type=""hidden"" id=""awebvoice_data"" name=""awebvoice_data"" value="""" />
137 | </form>
138 |
139 | <iframe id=""awebvoice_frame"" src=""http://www.awebvoice.com/wordpress?l=<?php echo get_bloginfo('wpurl')?>&<?php echo http
140 | <?php
141 | }
^ Col 0
Our security policy
We have reserved the ID CVE-2025-31287 to refer to this issue from now on.
System Information
- Product: A Capture Contact Form (and tab) by AWebVoice.com
- Version: trun
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Andres Roldan from Fluid Attacks' Offensive Team using Skims
Timeline
2025-03-14
Vulnerability discovered.
2025-03-14
Vendor contacted.
