Multiple blind SQL injection vulnerabilities were found in the FormBuilder WordPress Plugin. This allows an attacker, granted he has Author or higher privileges, to extract arbitrary data (eg the Administrator's password hash) from the WordPress database. Since there is no CSRF protection in place, an attacker could also lure an logged-in Author to perform malicious SQL commands on the database.
For feedback or questions about this advisory mail us at sumofpwn at securify.nl
This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
This issue was successfully tested on FormBuilder version 1.05.
This issue is resolved in FormBuilder version 1.08.
The FormBuilder Plugin for WordPress allows you to build contact forms in the WordPress administrative interface without needing to know PHP or HTML.
It was discovered that FormBuilder is affected by multiple blind SQL injection vulnerabilities. Using these issues it is possible for a logged on Author (or higher privileges) to extract arbitrary data (eg, the Administrator's password hash) from the WordPress database. Since there is no CSRF protection in place, an attacker could also lure an logged-in Author to perform malicious SQL commands on the database.
The vulnerabilities exist in the following functions:
The "fbid" parameter used in the above functions can be supplied by the user and is appended to the WHERE clause as "form_id" directly without performing any sanitization or escaping.
* Load the form fields from the database.
$sql = "SELECT * FROM " . FORMBUILDER_TABLE_FORMS . " WHERE id = '$form_id' LIMIT 0,1;";
$results = $wpdb->get_results($sql, ARRAY_A);
$form = $results;
$sql = "SELECT * FROM " . FORMBUILDER_TABLE_FIELDS . " WHERE form_id = $form_id ORDER BY display_order ASC;";
$fields = $wpdb->get_results($sql, ARRAY_A);