WordPress Contact Form Submissions plugin <= 1.6.4 - Authenticated Double Query SQL injection (SQLi) vulnerability

contact-form-submissions

Software
Contact Form Submissions
Versions
<= 1.6.4
Disclosure date
2021-01-03
CVE
CVE-N/A
References
Credits
Classification
SQL Injection
OWASP Top 10
A1: Injection

Are your websites subject to this vulnerability?

Details

Authenticated Double Query SQL injection (SQLi) vulnerability found by Lenon Leite in WordPress Contact Form Submissions plugin (versions <= 1.6.4).

Solution

2021-01-11 - we could not find a patched version of this plugin (last updated 10 months ago). The plugin is poorly maintained, we recommend deactivating and deleting it at least until a patched version is available.

Found a vulnerability that puts your sites at risk?

Found a vulnerability? Help us secure the web and join our community of ethical hackers.

Are you the developer of this software? Hire our researchers for a thorough security audit.