FULL – Cliente WordPress Plugin SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the FULL – Cliente plugin for WordPress, affecting versions 3.1.5 prior to 3.1.25. The vulnerability arises from inadequate escaping of user-supplied data in the 'formId' parameter, coupled with a lack of proper preparation of the SQL query. This flaw allows authenticated attackers with Subscriber-level access or higher to inject additional SQL commands into existing queries, potentially leading to the extraction of sensitive information from the database. Exploitation requires the PRO version of the plugin, as well as Elementor Pro and Elementor CRM to be active.

Impact

Successful exploitation allows authenticated users with Subscriber-level access and above to perform SQL injection, potentially leading to unauthorized data access or manipulation in the WordPress database.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a request to the WordPress site with the 'formId' parameter. The request must be made while the PRO version of the FULL – Cliente plugin is active, along with Elementor Pro and Elementor CRM. The injected SQL payload can then be appended to the existing SQL query, exploiting the vulnerability.

Remediation

Users are advised to update the FULL – Cliente WordPress plugin to version 3.1.26 or a newer patched version.