integrable SQL Injection Vulnerability Affects Contact Form Plugin
CVE-2024-7702

7.2HIGH

Key Information:

Vendor: Wordpress
Status: Contact Form By Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form Builder
Vendor: CVE Published:; 20 August 2024

Summary

The Contact Form plugin by Bit Form, encompassing multiple functionalities like Multi Step Form, Calculation Contact Form, Payment Contact Form, and Custom Contact Form builder, is susceptible to SQL injection attacks. This security flaw arises from inadequate escaping of the user-supplied entryID parameter, combined with insufficient preparation in the SQL query. Authenticated users with Administrator-level access or higher may exploit this vulnerability to append malicious SQL queries, potentially enabling them to access sensitive information from the database.

Affected Version(s)

Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder 2.0 <= 2.13.9

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/bit-form/trunk...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 20, 2024
Vulnerability Reserved
Aug 12, 2024

Credit

TANG Cheuk Hei