WordPress Plugin Vulnerabilities

Contact Form to Any API < 1.1.3 - Admin+ SQLi

Description

The plugin does not properly sanitise and escape the form_id parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin

Affects Plugins

Plugin icon
contact-form-to-any-api
Fixed in 1.1.3

References

CVE
CVE-2023-32741

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
4.1 (medium)

Miscellaneous

Original Researcher
Arvandy
Verified
No
WPVDB ID
ee1f0bf8-52ef-4f24-9317-fd1485639f5f

Timeline

Publicly Published
2023-07-17 (about 2 years ago)
Added
2023-11-16 (about 2 years ago)
Last Updated
2023-11-16 (about 2 years ago)

Other

Published
Title
Published
2014-08-01
Title
Beer Recipes 1.0 - XSS
Published
2025-04-17
Title
Quentn WP < 1.2.9 - Unauthenticated SQL Injection
Published
2024-08-26
Title
Woocommerce Addon by Greenshift< 1.9.8 - Authenticated (Subscriber+) SQL Injection
Published
2021-09-27
Title
Check & Log Email < 1.0.3 - Admin+ SQL Injections
Published
2022-05-30
Title
Better Find and Replace < 1.3.6 - Admin+ SQLi