Elementor Form Submitted

  • bkjproductions

    (@bkjproductions)


    1 year, 1 month ago

    I have version 5.6.3 of this plugin running on a family-only website, so only a few people have access or care to visit. However, twice in the past week someone from Russia (two different IPs) has been able to fill out an Elementor form and submit it, and an email arrives in my mailbox.

    However, the site seems locked down for any page request, and I cannot get the page with the form to show up without being logged in.

    Is there some sort of leak whereby a form can be submitted even though the site is locked with this plugin? The page URL is whatever.com/about so perhaps there is an assumption that there is a contact form there and the hacker is somehow submitting based on that.

    When I look at the way the Elementor form works, it sends a POST to wp-admin/admin-ajax.php, and looking at the Request payload via Inspector, I see this:

    ------geckoformboundaryffdef58eb7a8d4df9648b727de3798aa
    Content-Disposition: form-data; name="post_id"

    22444
    ------geckoformboundaryffdef58eb7a8d4df9648b727de3798aa
    Content-Disposition: form-data; name="form_id"

    0eb9680
    ------geckoformboundaryffdef58eb7a8d4df9648b727de3798aa
    Content-Disposition: form-data; name="referer_title"

    About
    ------geckoformboundaryffdef58eb7a8d4df9648b727de3798aa
    Content-Disposition: form-data; name="queried_id"

    22444
    ------geckoformboundaryffdef58eb7a8d4df9648b727de3798aa
    Content-Disposition: form-data; name="form_fields[name]"

    My Name
    ------geckoformboundaryffdef58eb7a8d4df9648b727de3798aa
    Content-Disposition: form-data; name="form_fields[email]"

    info+test@example.com.com
    ------geckoformboundaryffdef58eb7a8d4df9648b727de3798aa
    Content-Disposition: form-data; name="form_fields[message]"

    test
    ------geckoformboundaryffdef58eb7a8d4df9648b727de3798aa
    Content-Disposition: form-data; name="action"

    elementor_pro_forms_send_form
    ------geckoformboundaryffdef58eb7a8d4df9648b727de3798aa
    Content-Disposition: form-data; name="referrer"

    https://whatever.com/about/
    ------geckoformboundaryffdef58eb7a8d4df9648b727de3798aa--

    Perhaps the wp-admin/ajax.php should also be blocked by this plugin?

The topic ‘Elementor Form Submitted’ is closed to new replies.