WordPress Form Maker 1.13.3 SQL Injection

2019.05.13

Credit: Daniele Scanu

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2019-10866

CWE: CWE-89

CVSS Base Score: 7.5/10

Impact Subscore: 6.4/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

# Exploit Title: WordPress Plugin Form Maker 1.13.3 - SQL Injection
# Date: 22-03-2019
# Exploit Author: Daniele Scanu @ Certimeter Group
# Vendor Homepage: https://10web.io/plugins/
# Software Link: https://wordpress.org/plugins/form-maker/
# Version: 1.13.3
# Tested on: Wordpress 5.1
Description:
In the Form Maker plugin before 1.13.3 for WordPress, it's possible to
achieve SQL injection in the function get_labels_parameters in the file
form-maker/admin/models/Submissions_fm.php with a crafted value of the
asc_or_desc parameter.
PoC:
* Go in to Form-Maker menu and select Submissions.
* Open menu "Select a form" and select an any item for example "Contact Us".
* Go in to url bar and insert in asc_or_desc parameter a payload such as:
,(case+when+(select+sleep(5)+from+wp_formmaker_submits+limit+1)+then+1+else+2+end)+asc+--+
With this payload the server will sleep for 5 second.
MITRE assigned CVE-2019-10866 for this issue.
Daniele Scanu

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

WordPress Form Maker 1.13.3 SQL Injection

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.