Form Maker by 10Web SQL Injection Vulnerability in WordPress

A SQL injection vulnerability has been identified in the Form Maker by 10Web plugin for WordPress, affecting all versions up to and including 1.15.40. The vulnerability arises from the 'ip_search', 'startdate', 'enddate', 'username_search', and 'useremail_search' parameters. The issue is caused by the 'WDW_FM_Library::validate_data()' method, which removes WordPress's 'wp_magic_quotes()' protection from user input. Subsequently, the 'FMModelSubmissions_fm::get_labels_parameters()' function concatenates these unprotected values directly into SQL queries without proper sanitization, allowing authenticated attackers with Administrator-level access to manipulate SQL queries and potentially extract sensitive database information. Additionally, the Submissions controller's 'display' task lacks nonce verification, enabling cross-site request forgery (CSRF) exploitation by tricking an administrator into clicking a malicious link.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate SQL queries to extract sensitive information from the database.

Reproduction

To reproduce this vulnerability, an authenticated user with Administrator privileges can send a request to the WordPress admin area with crafted 'ip_search', 'startdate', 'enddate', 'username_search', or 'useremail_search' parameters. The absence of nonce verification for the 'display' task in the Submissions controller enables this vulnerability to be exploited via CSRF, by persuading an administrator to click a specially designed link that triggers the SQL injection.

Remediation

Users are advised to update the Form Maker by 10Web plugin to version 1.15.41 or later.