CVE-2024-7780 - Vulnerability Details

CVE-2024-7780 - Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder 2.0 - 2.13.9 - Authenticated (Administrator+) SQL Injection

The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to generic SQL Injection via the id parameter in versions 2.0 to 2.13.9 due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Bitapps	Contact Form Builder
Bitpressadmin	Contact Form By Bit Form Multi Step Form

Configuration 1 [-]

cpe:2.3:a:bitapps:contact_form_builder:*:*:*:*:*:wordpress:*:*

No data.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/bit-form/tags/2.13.6/includes/Admin/AdminAjax.php#L1108
https://plugins.trac.wordpress.org/browser/bit-form/tags/2.13.6/includes/Admin/Form/AdminFormHandler.php#L2387
https://plugins.trac.wordpress.org/browser/bit-form/tags/2.13.6/includes/Core/Messages/EmailTemplateHandler.php#L93
https://www.wordfence.com/threat-intel/vulnerabilities/id/73b6b22a-4699-4307-8a03-148dd9e95d36?source=cve

History

Mon, 26 Aug 2024 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Bitapps Bitapps contact Form Builder
CPEs		cpe:2.3:a:bitapps:contact_form_builder::::::wordpress::*
Vendors & Products		Bitapps Bitapps contact Form Builder

Wed, 21 Aug 2024 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Bitpressadmin Bitpressadmin contact Form By Bit Form Multi Step Form
CPEs		cpe:2.3:a:bitpressadmin:contact_form_by_bit_form_multi_step_form::::::::
Vendors & Products		Bitpressadmin Bitpressadmin contact Form By Bit Form Multi Step Form
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 20 Aug 2024 03:30:00 +0000

Type	Values Removed	Values Added
Description		The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to generic SQL Injection via the id parameter in versions 2.0 to 2.13.9 due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title		Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder 2.0 - 2.13.9 - Authenticated (Administrator+) SQL Injection
Weaknesses		CWE-89
References		https://plugins.trac.wordpress.org/browser/bit-form/tags/2.13.6/includes/Admin/AdminAjax.php#L1108 https://plugins.trac.wordpress.org/browser/bit-form/tags/2.13.6/includes/Admin/Form/AdminFormHandler.php#L2387 https://plugins.trac.wordpress.org/browser/bit-form/tags/2.13.6/includes/Core/Messages/EmailTemplateHandler.php#L93 https://www.wordfence.com/threat-intel/vulnerabilities/id/73b6b22a-4699-4307-8a03-148dd9e95d36?source=cve
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-08-20T03:21:10.510Z

Updated: 2024-08-21T19:28:00.702Z

Reserved: 2024-08-13T22:14:49.665Z

Link: CVE-2024-7780

Vulnrichment

Updated: 2024-08-21T19:27:56.473Z

NVD

Status : Analyzed

Published: 2024-08-20T04:15:10.737

Modified: 2024-08-26T18:19:59.907

Link: CVE-2024-7780

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object