WordPress Form Maker Plugin SQL Injection Vulnerability (CVE-2018-25346)

The WordPress Form Maker Plugin, specifically versions 1.12.24 and below, is susceptible to SQL injection vulnerabilities. This flaw allows authenticated attackers to inject malicious SQL code into database queries through specific actions within the plugin. The vulnerability exists within the FormMakerSQLMapping and generete_csv functionalities. By crafting malicious POST requests and injecting SQL payloads into the ’name’ and ‘search_labels’ parameters, attackers can manipulate database queries to extract sensitive data, modify existing records, or potentially escalate their privileges within the WordPress database. This vulnerability presents a significant risk to websites using the vulnerable plugin, potentially leading to complete compromise of the affected WordPress instance.

Attack Chain

1. Attacker authenticates to the WordPress instance with valid user credentials.
2. Attacker crafts a POST request targeting the FormMakerSQLMapping action.
3. The POST request includes a malicious SQL payload within the ’name’ parameter.
4. The application fails to properly sanitize the ’name’ parameter, allowing the SQL code to be injected into a database query.
5. The injected SQL code is executed against the WordPress database.
6. Attacker crafts a POST request targeting the generete_csv action.
7. The POST request includes a malicious SQL payload within the ‘search_labels’ parameter.
8. The injected SQL code is executed against the WordPress database, potentially allowing the attacker to extract sensitive information or modify data.

Impact

Successful exploitation of this SQL injection vulnerability can lead to several critical impacts. Attackers could extract sensitive data such as user credentials, customer information, or other confidential data stored in the WordPress database. They could also modify existing data, potentially defacing the website or corrupting critical information. In a worst-case scenario, attackers could escalate their privileges to administrator level, granting them full control over the WordPress instance. This could lead to complete compromise of the website and its associated data.

Recommendation

• Upgrade the WordPress Form Maker Plugin to a version greater than 1.12.24 to patch CVE-2018-25346.
• Deploy the Sigma rule “Detect WordPress Form Maker SQL Injection via FormMakerSQLMapping” to your SIEM to detect exploitation attempts.
• Deploy the Sigma rule “Detect WordPress Form Maker SQL Injection via generete_csv” to detect exploitation attempts.
• Monitor web server logs for suspicious POST requests targeting the FormMakerSQLMapping and generete_csv actions in the WordPress Form Maker Plugin.