WordPress Plugin Vulnerabilities

Contact Form 7 Database Addon < 1.2.5.4 - Authenticated SQL Injections

Description

The plugin did not properly sanitise the form_ids from the contact_form POST array parameter before using them in a SQL statement in the process_bulk_action() function. This could allow high privilege users, such as admin to perform SQL Injection against the DBMS via the bulk actions: delete, read and unread.

Note: Further SQL Injections have been fixed in 1.2.5.7.

Proof of Concept

Affects Plugins

Plugin icon
contact-form-cfdb7
Fixed in 1.2.5.4

References

URL
https://plugins.trac.wordpress.org/changeset/2458739

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
9.1 (critical)

Miscellaneous

Verified
Yes
WPVDB ID
75f2eeb2-c413-4601-bc62-554683480c30

Timeline

Publicly Published
2021-01-21 (about 5 years ago)
Added
2021-01-21 (about 5 years ago)
Last Updated
2021-01-25 (about 4 years ago)

Other

Published
Title
Published
2022-04-13
Title
BadgeOS < 3.7.1 - Unauthenticated SQLi
Published
2024-12-05
Title
KiviCare – Clinic & Patient Management System (EHR) < 3.6.5 - Unauthenticated SQL Injection
Published
2023-01-17
Title
MainWP Google Analytics Extension < 4.0.5 - Subscriber+ SQLi
Published
2025-03-24
Title
Web Directory Free < 1.7.7 - Unauthenticated SQL Injection
Published
2025-09-16
Title
Quiz Maker < 6.7.0.57 - Unauthenticated SQL Injection