Form Maker by 10Web < 1.13.36 - Authenticated SQL Injection



Description
Authenticated (admin+) SQL injection in the Form Maker by 10Web WordPress Plugin 1.13.35 exists via the /wordpress/wp-admin/admin.php?page=blocked_ips_fm&s=1" s parameter.

Edit (WPScanTeam):
- Initial reported version (5.4.1) does not exist, confirmed to be 1.13.35 by researcher
- May 25th, 2020 - details made public in other places
- May 26th, 2020 - Escalated to WP Plugins Team
Proof of Concept The PoC will be displayed once the issue has been remediated.

Affects Plugin

References

URL https://plugins.trac.wordpress.org/changeset/2313762/form-maker

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Original Researcher Vu Tien Hoa - SunCSR (Sun* Cyber Security Research)
Submitter Vu Tien Hoa
Submitter Website https://research.sun-asterisk.com/
Submitter Twitter https://twitter.com/hoavt_
Views 1752
Verified No
WPVDB ID 10237

Timeline

Publicly Published 2020-05-26 (about 2 months ago)
Added 2020-05-26 (about 2 months ago)
Last Updated 2020-06-05 (about 1 month ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin