Contact Form Pro 2.1.2 WP SQL injection
Posted on 30 November -0001
<HTML><HEAD><TITLE>Contact Form Pro 2.1.2 WP SQL injection</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>[+] Date: [22-8-2016] [+] Autor Guillermo Garcia Marcos [+] Vendor: https://wordpress.org/plugins/custom-user-contact-form-builder/ [+] Title: Contact Form Pro 2.1.2 WP SQL injection [+] info: Multiples SQl injection. Contact Form Pro fails to sanitized user supplied input and is vulnerable to SQL Injection. An attacker can obtain any data of the database including user logins and password's of the WordPress installation, allowing him to obtain access to the application and gain administration privileges. [-] Vuln Files: [+] add-form.php ... if(isset($_REQUEST['id'])) { $qry = "select * from $cfp_forms where id =".$_REQUEST['id']; $row = $wpdb->get_row($qry); $form_options = maybe_unserialize($row->form_option); $submit_button_label = $form_options['submit_button_label']; } .. [+] manage_entries.php ... $form_id = $_REQUEST['form_id']=$reg; ... if($_REQUEST['form_id']!="") { $total = $wpdb->get_var( "SELECT count(*) FROM $cfp_entries where form_id ='".$form_id."'" ); $num_of_pages = ceil( $total / $limit ); [+] manage-form-fields.php .. $qry1 = "select * from $cfp_fields where Form_Id = '".$_REQUEST['form_id']."' order by ordering asc"; $row1 = $wpdb->get_results($qry1); .. [+] add_field.php if(isset($_REQUEST['id'])) { $qry="select * from $cfp_fields where Id=".$_REQUEST['id']; $reg = $wpdb->get_row($qry); </BODY></HTML>