Homepage:
https://wordpress.org/plugins/wa-form-builder/
Description:
Type user access: any user.
$_POST[ ‘wa_forms_Id’ ] is not escaped. WAFormBuilder_ui_output() is accessible for any user.
File / Code:
Path: /wp-content/plugins/wa-form-builder/main.php
Line: 779
global $wpdb; echo 'SELECT * FROM '.$wpdb->prefix.'wap_wa_form_builder WHERE Id = '.$_REQUEST['wa_forms_Id']; $form_attr = $wpdb->get_row('SELECT * FROM '.$wpdb->prefix.'wap_wa_form_builder WHERE Id = '.$_REQUEST['wa_forms_Id']); $user_fields .= '<table width="100%" cellpadding="3" cellspacing="1" style="background:#e7e7e7; color:#666;">'; foreach($_POST as $key=>$val) { if( $key!='action' && $key!='current_page' && $key!='ajaxurl' && $key!='page_id' && $key!='wa_forms_Id' && $key!='submit' ) { $user_fields .= '<tr>'; $user_fields .= ' <td bgcolor="#f2f2f2" width="20%">'.IZC_Functions::unformat_name(str_replace('dynamic_forms','',$key)).'</td> <td bgcolor="#FFFFFF" >'.IZC_Functions::unformat_name($val).'</td>'; $user_fields .= '</tr>'; $insert = $wpdb->insert($wpdb->prefix.'wap_wa_form_meta', array( 'wa_form_builder_Id'=>$_REQUEST['wa_forms_Id'], 'meta_key'=>$key, 'meta_value'=>$val, 'time_added' => mktime() ) ); } }
Proof of Concept:
1 – The url of target is url that have form. So will find form in system.
2 – Send Post for:
Result:
target => http://target/2016/11/21/PostWithformOfPlugin/
post or get=>
Timeline:
- 28/11/2016 – Discovered
- 28/11/2016 – Vendor not found