The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin
1. When editing a form, go to “Settings > MySQL Mapping”. 2. Click “Add a Query” 3. When mapping the form to the database in the next screen, intercept the request and replace either the id
or form_id
parameter with the payload 1%20AND%20(SELECT%205065%20FROM%20(SELECT(SLEEP(5)))zYK1)
4. The request will run the SQL.
CPE | Name | Operator | Version |
---|---|---|---|
contact-form-maker | eq | * |