WordPress Contact Form Maker SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the WordPress Contact Form Maker plugin, specifically in version 1.12.20 and prior. This vulnerability allows authenticated attackers to manipulate database queries by injecting malicious SQL code through the 'name' and 'search_labels' parameters. The exploitation of this vulnerability could lead to the extraction of sensitive database information or unauthorized privilege escalation.

Impact

Exploitation of this vulnerability could result in unauthorized database access, allowing attackers to extract, modify, or delete database information. Additionally, the vulnerability could be used to escalate privileges within the application.

Reproduction

To reproduce this vulnerability, log in to a WordPress site as an authenticated user with access to the Contact Form Maker plugin settings. Then, send a POST request to 'wp-admin/admin-ajax.php' with the 'action' parameter set to 'FormMakerSQLMapping_fmc' or 'generete_csv_fmc'. Include the 'name' or 'search_labels' parameters with crafted SQL payloads that exploit the SQL injection vulnerability. The injected SQL code can be designed to, for example, extract data from the database using SQL injection techniques such as time-based blind injection.