WordPress Plugin WA Form Builder SQL Injection
Description: Type user access: any user. $POST ‘waformsId’ is not escaped. WAFormBuilderuioutput is accessible for any user. File / Code: Path: /wp-content/plugins/wa-form-builder/main.php global $wpdb; echo 'SELECT FROM '.$wpdb-prefix.'wapwaformbuilder WHERE Id = '.$REQUEST'waformsId'; $formattr...