Multiple blind SQL injection vulnerabilities were found in the FormBuilder WordPress Plugin. This allows an attacker, granted he has Author or higher privileges, to extract arbitrary data (eg the Administrator's password hash) from the WordPress database. Since there is no CSRF protection in place, an attacker could also lure an logged-in Author to perform malicious SQL commands on the database.
OVE-20160724-0008
This issue was successfully tested on FormBuilder version 1.05.
This issue is resolved in FormBuilder version 1.08.
The FormBuilder Plugin for WordPress allows you to build contact forms in the WordPress administrative interface without needing to know PHP or HTML.
It was discovered that FormBuilder is affected by multiple blind SQL injection vulnerabilities. Using these issues it is possible for a logged on Author (or higher privileges) to extract arbitrary data (eg, the Administrator's password hash) from the WordPress database. Since there is no CSRF protection in place, an attacker could also lure an logged-in Author to perform malicious SQL commands on the database.
The vulnerabilities exist in the following functions: - formbuilder_options_exportForm - formbuilder_options_removeForm - formbuilder_options_editForm
The "fbid" parameter used in the above functions can be supplied by the user and is appended to the WHERE clause as "form_id" directly without performing any sanitization or escaping.
Example 1:
formbuilder/php/formbuilder_admin_functions.php
case "exportForm":
formbuilder_options_exportForm($_GET['fbid']);
formbuilder/php/formbuilder_admin_pages.inc.php
function formbuilder_options_exportForm($form_id)
{
[..]
/*
* Load the form fields from the database.
*/
$sql = "SELECT * FROM " . FORMBUILDER_TABLE_FORMS . " WHERE id = '$form_id' LIMIT 0,1;";
$results = $wpdb->get_results($sql, ARRAY_A);
$form = $results[0];
$sql = "SELECT * FROM " . FORMBUILDER_TABLE_FIELDS . " WHERE form_id = $form_id ORDER BY display_order ASC;";
$fields = $wpdb->get_results($sql, ARRAY_A);
I originally wrote this article for Securify B.V. Read more.