CVE-2023-35911 - SQL Injection Vulnerability in Contact Form Generator (WordPress) – Details, Demo, and Protection

CVE-2023-35911 is a serious SQL Injection vulnerability found in the Contact Form Generator: Creative Form Builder for WordPress plugin. This article gives an easy-to-understand breakdown of the vulnerability, shows proof-of-concept code, explains how attackers could exploit it, and gives practical advice on staying secure. If you run WordPress and use this plugin (version up to and including 2.6.), this is a must-read.

What is CVE-2023-35911?

This vulnerability exists because the plugin does not properly sanitize user input before using it in SQL queries. That means attackers can inject malicious SQL code through form fields, potentially allowing them to read, change, or delete information from your site's database.

Technical Details

When a visitor fills out a form built with this plugin, the submission gets stored in a MySQL database. The plugin fails to "escape" (sanitize) special characters in the input fields. For example, if a user enters something like:

1'; DROP TABLE wp_users;--

The SQL command might get executed directly, causing harm like deleting all user accounts if the attacker is lucky {or unlucky, for you}.

Vulnerable Code Example

// Simplified vulnerable example from the plugin
$name = $_POST['name'];
$email = $_POST['email'];

$sql = "INSERT INTO wp_cff_submissions (name, email) VALUES ('$name', '$email')";
$result = $wpdb->query($sql);

There’s no sanitization or use of prepared statements above. An attacker could make $name anything they want—and the SQL server just runs it.

This makes the SQL query

INSERT INTO wp_cff_submissions (name, email) VALUES ('test'); SELECT user_login, user_pass FROM wp_users; --', 'attacker@evil.com')

Depending on the setup, this can expose user details or crash the database (sometimes with error messages leaking info). More dangerous payloads could allow attackers to escalate their access.

Demo: How Attackers Find and Exploit This

1. Recon: Attacker uses Google/OSINT to find WordPress sites using the plugin. (e.g. inurl:?cfgen-form=)

`bash

sqlmap -u "https://victimsite.com/?cfgen-form=1" --data="name=test&email=evil@evil.com" --risk=3 --level=5

If you use this plugin

1. Update Immediately: Check the plugin page on WordPress.org for a fixed version or temporary removal.
2. Deactivate/Remove Plugin: If no patch is available, disable the plugin now.
3. Scan for Compromise: Use WPScan or Wordfence to check for signs of exploitation.

)

);

References & More Reading

- NVD - CVE-2023-35911 Entry
- WPScan Vulnerability Report
- WordPress Plugin Official Page
- Guide: Preventing SQL Injection in WordPress

Final Thoughts

CVE-2023-35911 shows how even popular plugins can expose sites to dangerous attacks if they skip basic security steps. SQL Injection is easy to prevent, yet still happens, often because of legacy code or bad examples online. Always keep your plugins updated, run regular security scans, and review code or push your plugin vendors to follow best practices.

If your site collects any kind of user input, it’s your job to make sure that input isn’t a threat.

Timeline

Published on: 11/06/2023 09:15:07 UTC
Last modified on: 11/10/2023 04:19:43 UTC