SB2019030407 - Multiple vulnerabilities in Forminator Contact Form, Poll & Quiz Builder plugin for WordPress

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) SQL injection (CVE-ID: CVE-2019-9568)

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via the entry[] parameter to wp-admin/admin.php?page=forminator-entries URL,  if the attacker has the delete permission. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

2) Cross-site scripting (CVE-ID: CVE-2019-9567)

The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data when processing a custom input field of a poll. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Remediation

Install update from vendor's website.

References

• https://lists.openwall.net/full-disclosure/2019/02/05/4
• https://security-consulting.icu/blog/2019/02/wordpress-forminator-persistent-xss-blind-sql-injection/
• https://wordpress.org/plugins/forminator/#developers
• https://wpvulndb.com/vulnerabilities/9215