This issue has been fixed in the latest version 1.15.6. Updating to the latest version is highly recommended. A recommended WordPress plugin update plugin is Form Maker by 10Web. A SQL injection vulnerability has been discovered in the latest version 1.15.6 of Form Maker by 10Web WordPress plugin. This issue has been verified to occur when a user is creating a new form. What is particularly at risk for users on shared or public WordPress installations is that the default “admin” login does not have the necessary permissions to view and update plugin settings, which means that if access to the plugin folder or its functionality is limited to anyone but the admin user, this might lead to a significant impact on the security of the site as a whole.
Sybase SQL injection on wp-form-builder.php
This issue has been fixed in the latest version 1.15.6. Updating to the latest version is highly recommended. A recommended WordPress plugin update plugin is Form Maker by 10Web. A SQL injection vulnerability has been discovered in the latest version 1.15.6 of Form Maker by 10Web WordPress plugin. This issue has been verified to occur when a user is creating a new form and the “admin” login does not have the necessary permissions to view and update plugin settings, which means that if access to the plugin folder or its functionality is limited to anyone but the admin user, this might lead to a significant impact on the security of the site as a whole.
Weaknesses in Form Maker by 10Web WordPress Plugin
1. The default “admin” login does not have the necessary permissions to view and update plugin settings, which means that if access to the plugin folder or its functionality is limited to anyone but the admin user, this might lead to a significant impact on the security of the site as a whole.
2. Another weakness is that Form Maker by 10Web WordPress plugin uses a MySQL database for storing information about forms, which has been reported in multiple cases as being vulnerable to SQL injection attacks.
3. An issue was found in Form Maker by 10Web WordPress plugin that allowed an attacker to potentially gain access to personal information from other users stored in the backend of the platform.
4. There is also no option for limiting which specific users can create new forms within Form Maker by 10Web WordPress plugin's backend, meaning that any user with write access could potentially modify any existing form or create a new one without restriction.
5. There are also no options for auditing what happens when a form is created or modified, meaning that even if an attacker cannot completely make changes such as deleting all data or changing personal information, they could still make unauthorized changes without difficulty at all.
Reported vulnerability details
A SQL injection vulnerability has been discovered in the latest version 1.15.6 of Form Maker by 10Web WordPress plugin.
Description of the WordPress Form Maker SQL Injection Vulnerability
A SQL injection vulnerability has been discovered in the latest version 1.15.6 of Form Maker by 10Web WordPress plugin. This issue has been verified to occur when a user is creating a new form. What is particularly at risk for users on shared or public WordPress installations is that the default “admin” login does not have the necessary permissions to view and update plugin settings, which means that if access to the plugin folder or its functionality is limited to anyone but the admin user, this might lead to a significant impact on the security of the site as a whole.
How does the Form Maker SQL Injection Vulnerability work?
When creating a form, the following parameters are passed to the plugin:
1. The user ID of the current user;
2. The HTML to be inserted into the form;
3. The name of the form field, including its label and any required attributes; and
4. The default value for this field.
The vulnerability is in around line 212 of plugin code where it is possible to inject SQL statements into an existing table on WordPress website by POSTing data to /wp-admin/admin-ajax.php?action=edit_form&fid=XXXXX&new_value=Y&name=YYYYY&lbl=abc or simply by changing texts on the page itself without using a form. This issue has been verified to occur when a user is creating a new form but might also occur when editing an existing one near line 77 (in edit mode) or line 219 (in add mode).
Timeline
Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/25/2022 20:07:00 UTC