• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
WordPress Vulnerability

SQL Injection in Advance Contact Form 7 DB

April 11, 2019John Castro

Security Risk: Dangerous

Exploitation Level: Easy/Remote

DREAD Score: 7/10

Vulnerability: SQL Injection

Patched Version: 1.6.1

619
SHARES
FacebookTwitterSubscribe

As part of our regular research audits for our Sucuri Firewall, we discovered an SQL injection vulnerability affecting 40,000+ users of the Advanced Contact Form 7 DB WordPress plugin.

Current State of the Vulnerability

This plugin saves all Contact Form 7 submissions to the database using a friendly interface. Though the bug has been fixed in the 1.6.1 release, it can be exploited by an attacker who has (at minimum) a subscriber account.

When leveraged, bad actors can leak sensitive data — and in certain configurations compromise an entire WordPress installation.

We are not aware of any exploit attempts currently using this vulnerability.

Disclosure / Response Timeline:

  • March 26, 2019: Initial contact attempt.
  • April 10, 2019: Patch is live.

Technical Details

WordPress offers an API that enables developers to create content which can be injected to a webpage using a simple shortcode.

The attack vector used to exploit this vulnerability requires the bad actor to have an account on the victim’s site — however, it doesn’t matter what the account privileges are. This is possible thanks to the wp-ajax-parse-media-shortcode function defined in WordPress Core.

This particular plugin defines the shortcode acf7db in the public/class-advanced-cf7-db-public.php file:

Plugin defines the shortcode “acf7db” in the vulnerability

SQL injections can be tricky in the WordPress world due to the increase and popularity of methods like wpdb::prepare, which promise a safe execution of SQL queries.

However, in a number of places user input coming from the shortcode acf7db is not properly sanitized before being included in SQL queries. These queries are then executed directly using the wpdb->get_results() method.

Here is one of the exploitable queries:

One of the exploitable queries for SQL Injection

If attackers are able to set arbitrary values for the variable $fid, they can modify the query in such a way that can lead to a full server compromise. We cannot underestimate the ramifications of an SQL injection — or know exactly how many servers may allow attackers to obtain more than just encrypted hashes and user emails.

Indicators of Compromise

While plugin users won’t necessarily see anything malicious on the website, the most obvious indicator of compromise would be malicious content found within the database.

If you begin to see database errors or other unusual behavior and are using a vulnerable version of this plugin, consider patching the vulnerability and scanning your server for malware.

Update as Soon as Possible

SQL injections are dangerous and can impact a variety of SQL databases. Using this vector, attackers can manipulate a site argument in order to inject their own commands to the database and retrieve sensitive data — including usernames and password hashes.

If you’re using a vulnerable version of this plugin, update it immediately to mitigate the risk to your website.

Attacks like the one we see in this particular SQL injection vulnerability are particularly serious. Bad actors can use automation to mount successful, widespread attacks against any website using the vulnerable component.

Keeping your CMS, themes, plugins, and other third-party extensions up to date with the latest patches is a critical element in maintaining a secure website. We encourage plugin users to update to the latest 1.6.1 release as soon as possible.

In the event you are unable to update, we strongly recommend leveraging the Sucuri Firewall or an equivalent technology to virtually patch the vulnerability.

619
SHARES
FacebookTwitterSubscribe

Categories: Vulnerability Disclosure, WordPress SecurityTags: Black Hat Tactics, SQL Injection, WordPress Plugins and Themes

About John Castro

John Castro is Sucuri's Vulnerability Researcher who joined the company in 2015. His main responsibilities include threat intelligence and vulnerability analysis. John's professional experience covers more than a decade of pentesting, vulnerability research and malware analysis. When John isn't working with WordPres plugin vulnerabilities, you might find him hiking or hunting for new restaurants. Connect with him on LinkedIn

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

WordPress Security Course

How to Clean a Hacked Website Guide

WordPress Security Guide

How to know you can trust a plugin

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2022 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.