GB Forms DB WordPress Plugin Remote Code Execution Vulnerability

A remote code execution vulnerability exists in the GB Forms DB plugin for WordPress, affecting all versions through 1.0.2. The issue arises in the 'gbfdb_talk_to_front()' function, which improperly sanitizes user input before passing it to 'call_user_func()'. This flaw allows unauthenticated attackers to execute arbitrary code on the server, potentially leading to the injection of backdoors or the creation of new administrative user accounts.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where the WordPress site is hosted.

Reproduction

The vulnerability can be reproduced by sending a POST request to the 'wp_ajax_gbfdb_talk_to_front' action. The request must include the 'function' parameter with the name of a callable function and the 'data' parameter with a JSON-encoded string. The 'gbfdb_talk_to_front()' function will then execute the specified function, allowing for code injection.

Remediation

Users are advised to update the GB Forms DB plugin to version 1.0.3 or later.