Contact Form by WD <= 1.13.23 – Admin+ SQLi | CVE 2023-2655 | Plugin Vulnerabilities

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin

Proof of Concept

1. When editing a form, go to "Settings > MySQL Mapping".
2. Click "Add a Query" 
3. When mapping the form to the database in the next screen, intercept the request and replace either the `id` or `form_id` parameter with the payload `1%20AND%20(SELECT%205065%20FROM%20(SELECT(SLEEP(5)))zYK1)`
4. The request will run the SQL.

Affects Plugins

contact-form-maker

No known fix

References

CVE

YouTube Video

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

killr00t

Submitter

killr00t

Submitter website

http://trackmaze.blogspot.com/

Submitter twitter

Verified

Yes

WPVDB ID

b3f2d38f-8eeb-45e9-bb58-2957e416e1cd

Timeline

Publicly Published

2023-06-15 (about 10 months ago)

Added

2023-06-15 (about 10 months ago)

Last Updated

2023-06-15 (about 10 months ago)

Other

Published

Title

Published

2023-11-28

Title

WP Mail Log < 1.1.3 – Contributor+ SQL Injection in wml_logs/send_mail endpoint

Published

2020-04-29

Title

Learnpress < 3.2.6.8 - Authenticated Time Based Blind SQL Injection

Published

2016-12-14

Title

ZM Gallery 1.0 – Authenticated Blind SQL Injection

Published

2014-09-19

Title

YAWPP < 1.2.2 - SQL Injection

Published

2023-09-18

Title

wpDiscuz < 7.6.6 - Unauthenticated SQL Injection