SQL Injection Vulnerability in Form Vibes Plugin for WordPress

CVE-2024-5325

8.8HIGH

Key Information

Vendor: WPvibes
Status: Form Vibes – Database Manager For Forms
Vendor: CVE Published:; 12 July 2024

Summary

The Form Vibes plugin for WordPress is vulnerable to SQL Injection via the ‘fv_export_data’ parameter in all versions up to, and including, 1.4.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Affected Version(s)

Form Vibes – Database Manager for Forms <= 1.4.10

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Jul 12, 2024
Disclosed
Jul 11, 2024
Vulnerability Reserved.
May 24, 2024
Vendor Notified
May 24, 2024

Collectors

NVD DatabaseMitre Database

Credit

Peter Thaleikis