Injection of SQL Exposure in Flowing Forms WordPress Contact Form can impact more than 300,000 websites. gives hackers access to databases
It was found that the well-known Fluent Forms Contact Form Builder WordPress plugin, which has over 300,000 installations, had a SQL Injection vulnerability that might give hackers access to the database.
Although the vulnerability was fixed in June 2023, it wasn’t until November 3, 2023, that it was made public.
Builder for Contact Forms in Fluent Forms
With more than 300,000 installs, Fluent Forms Contact Form Builder is one of the most widely used contact forms for WordPress.
It was found that the well-known Fluent Forms Contact Form Builder WordPress plugin, which has over 300,000 installations, had a SQL Injection vulnerability that might give hackers access to the database.
Although the vulnerability was fixed in June 2023, it wasn’t until November 3, 2023, that it was made public.
Builder for Contact Forms in Fluent Forms
With more than 300,000 installs, Fluent Forms Contact Form Builder is one of the most widely used contact forms for WordPress.
Fluent Forms is a great option because of its amazing flexibility, which allows users to achieve a lot with just one plugin.
Neutralization of Input
Any plugin that lets users enter data directly into the database—especially contact forms—must handle these inputs to prevent hackers from accidentally entering scripts or SQL commands that let nefarious users make unauthorized modifications.
Due to this specific vulnerability, the Fluent Forms plugin is susceptible to SQL injection, which might be very dangerous if a hacker is successful in his endeavors.
SQL Injection Weakness
Databases can be interacted with using a language called SQL, or Structured Query Language.
An SQL query is an instruction used to retrieve, modify, or arrange data that is kept in a database.
Everything needed to build a WordPress website, including themes, plugins, content, and passwords, is stored in a database.
The central nervous system of a WordPress website is the database.
Therefore, having the capacity to “query” a database at will is an unprecedented level of access that should never be granted to unauthorized individuals or software that isn’t connected to the website.
An SQL injection attack occurs when a malevolent attacker manages to introduce a SQL command that can communicate with the database through an input interface that is otherwise trustworthy.
According to the nonprofit Open Worldwide Application Security Project (OWASP), a SQL injection vulnerability can have disastrous results.
“SQL injection attacks give attackers the ability to become database server administrators, spoof identities, tamper with already-existing data, cause repudiation issues like voiding transactions or changing balances, and allow the complete disclosure of all data on the system.
Because PHP and ASP applications tend to use outdated functional interfaces, SQL Injection is a typical problem. Because of the nature of available programmatic interfaces, SQL injections are less common in J2EE and ASP.NET applications.
The ability and creativity of the attacker, as well as defense-in-depth techniques like low privilege connections to the database server and other similar techniques, serve as limits on how severe SQL Injection assaults can be.
Unsuitable Neutralization
An alert regarding the vulnerability was released by the United States Vulnerability Database (NVD), which stated that “improper neutralization” was the cause of the issue.
When anything is said to be neutralized, it means that whatever is entered into an application (such as a contact form) will be restricted to what is intended and will not permit anything else.
A contact form that has been properly neutralized won’t accept an SQL command.
The vulnerability was described by the US Vulnerability Database as follows:
“Contact Form – WPManageNinja LLC Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms – Improper Neutralization of Special Elements used in a SQL Command (‘SQL Injection’) vulnerability SQL Injection is allowed in FluentForm.
From n/a to 4.3.25, the Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms is affected by this problem.
The plugin creators were notified of the issue by the security firm Patchstack.
As stated by Patchstack:
This might make it possible for a hostile actor to communicate with your database directly and carry out actions like information theft.
In version 5.0.0, this vulnerability has been patched.
Patchstack’s alert claims that the vulnerability was addressed in Version 5.0.0; however, the Fluent Form Contact Form Builder changelog, which regularly logs software updates, shows no sign of a security patch.
The Fluent Forms Contact Form Builder version 5.0.0 changelog item is as follows:
The version 5.0.0 (June 22, 2023)
improved UX and updated UI
Worldwide Styler Enhancement
The updated structure for quicker reaction
Replica field not showing up correctly in PDF been fixed.
Fixed a problem when text fields were not correctly transferred by WPForm Migrator to text input fields with the right maximum text length.
resolved a migration issue with entries
Fixed-number PDF file formats
resolved radio field label problem
Ajax routes updated to rest routes
updated naming standard for the filter and action hooks that supports older hooks
Translation strings updated
Perhaps one of those entries contains the solution. However, for whatever reason, some plugin developers would want to keep security fixes under wraps.
Suggested actions:
Users of the contact form are advised to update their plugin as soon as they can.
