The “delete_entries” function does not filter parameters from the request. This leads to an SQL Injection vulnerability.
- Create a submission using the Contact From 7 plugin. - On the Form Vibes tab in the dashboard, click “submissions” and implement the delete function on an entry. - Intercept the request and send it to repeater in Burp suite. - Change the parameter “params” to: {“ids”:[“9) AND (1=2);-- -”]} - Send the request, we get this response: {“status”:“failed”,“message”:“Could not able to delete Entries”} - Change the parameter “params” to: {“ids”:[“9) AND (1=1);-- -”]} - Send the request, the response this time is the following: {“status”:“passed”,“message”:“Entries Deleted”}
CPE | Name | Operator | Version |
---|---|---|---|
form-vibes | lt | 1.4.6 |