WordPress Plugin Vulnerabilities

Form Vibes < 1.4.6 - Admin+ SQLi

Description

The "delete_entries" function does not filter parameters from the request. This leads to an SQL Injection vulnerability.

Proof of Concept

Affects Plugins

Plugin icon
form-vibes
Fixed in 1.4.6

References

CVE
CVE-2022-3764
YouTube Video

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Nguyen Duy Quoc Khanh
Submitter
Nguyen Duy Quoc Khanh
Submitter twitter
ndqkhanh
Verified
Yes
WPVDB ID
9d49df6b-e2f1-4662-90d2-84c29c3b1cb0

Timeline

Publicly Published
2022-11-08 (about 3 years ago)
Added
2022-11-08 (about 3 years ago)
Last Updated
2022-11-08 (about 3 years ago)

Other

Published
Title
Published
2024-03-28
Title
WordPress Announcement & Notification Banner Plugin – Bulletin < 3.9.0 - Authenticated (Administrator+) SQL Injection
Published
2024-06-28
Title
UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress < 1.2.11 - Unauthenticated SQL Injection via 'uwp_sort_by'
Published
2025-03-27
Title
Advanced Google reCAPTCHA < 1.30 - Authenticated (Subscriber+) Limited SQL Injection via 'sSearch' Parameter
Published
2025-08-27
Title
Simple Download Monitor < 3.9.34 - Simple Download Monitor < 3.9.34 – Authenticated (Contributor+) SQL Injection via order parameter in Log Export functionality
Published
2020-08-03
Title
Ajax Search Pro < 4.19 - Subscriber+ SQL Injection