WordPress Plugin Vulnerabilities

Form Vibes < 1.4.6 - Admin+ SQLi

Description

The "delete_entries" function does not filter parameters from the request. This leads to an SQL Injection vulnerability.

Proof of Concept

- Create a submission using the Contact From 7 plugin.
- On the Form Vibes tab in the dashboard, click "submissions" and implement the delete function on an entry.
- Intercept the request and send it to repeater in Burp suite.
- Change the parameter "params" to: {"ids":["9) AND (1=2);-- -"]}
- Send the request, we get this response: {"status":"failed","message":"Could not able to delete Entries"}
- Change the parameter "params" to: {"ids":["9) AND (1=1);-- -"]}
- Send the request, the response this time is the following: {"status":"passed","message":"Entries Deleted"}

Affects Plugins

Plugin icon
form-vibes
Fixed in 1.4.6

References

CVE
CVE-2022-3764
YouTube Video

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Nguyen Duy Quoc Khanh
Submitter
Nguyen Duy Quoc Khanh
Submitter twitter
ndqkhanh
Verified
Yes
WPVDB ID
9d49df6b-e2f1-4662-90d2-84c29c3b1cb0

Timeline

Publicly Published
2022-11-08 (about 1 years ago)
Added
2022-11-08 (about 1 years ago)
Last Updated
2022-11-08 (about 1 years ago)

Other

Published
Title
Published
2022-03-08
Title
Easy Social Icons < 3.1.4 - Admin+ SQL Injection
Published
2016-11-22
Title
Olimometer <= 2.56 - Unauthenticated SQL Injection
Published
2022-02-02
Title
NotificationX < 2.3.9 - Unauthenticated Blind SQL Injection
Published
2023-01-18
Title
MainWP Broken Links Checker Extension <= 4.0 - Unauthenticated SQLi
Published
2015-06-02
Title
LeagueManager <= 3.9.11 - Unauthenticated SQL Injection