Independent Security Researcher Pouya Darabi spotted multiple vulnerabilities in the PHP FormMail Generator site that could allow a remote user to gain access to the form's administrator panel or to obtain files from the server.
The vulnerabilities in the single-instance website that generates PHP code for standard web forms for inclusion into PHP or WordPress websites are caused by the generator producing code which is vulnerable to authentication bypass and unsafe deserialization of untrusted data, according to a Dec. 8 security advisory.
“A remote unauthenticated user may bypass authentication to access the administrator panel by navigating directly to: /admin.php?mod=admin&func=panel,” the advisory said.
The website has since been patched and an updated version was made available on Dec. 6. Those who used the site prior to the update are encouraged to regenerate the PHP form code using the updated website, or to manually apply patches.