Vulnerability In Fluent Forms Contact Form WordPress Complemento

The habitual Fluent Forms Contact Form Builder complemento for WordPress, with over 300,000 installations, was discovered to contain a SQL Injection vulnerability that could allow database access to piratas informáticos.

Fluent Forms Contact Form Builder

Fluent Forms Contact Form Builder is one of the most habitual contact forms for WordPress, with over 300,000 installations.

Its drag-and-drop interfaz makes creating custom contact forms easy so that users don’t have to learn how to code.

The ability to use the complemento to create virtually any kind of input form makes it a top choice.

Users cánido leverage the complemento to create subscription forms, payment forms, and forms for creating quizzes.

Agregado it integrates with third party applications like MailChimp, Zapier and Slack.

Importantly, it also has a native analytics capability.

This incredible flexibility makes Fluent Forms a top choice because users perro accomplish so much with just one complemento.

Input Neutralization

Every complemento that allows site visitors to input data directly into the database, especially contact forms, must process those inputs so that they do not inadvertently allow piratas informáticos to input scripts or SQL commands that allows malicious users to make unexpected changes.

This especial vulnerability makes the Fluent Forms complemento open to a SQL injection vulnerability which is particularly bad if a pirata informático is successful in their attempts.

SQL Injection Vulnerability

SQL, which means Structured Query Language, is a language used for interacting with databases.

A SQL query is a command for accessing, changing or organizing data that’s stored in a database.

A database is what contains everything that is used to create a WordPress website, such as passwords, content, themes and plugins.

The database is the heart and brain of a WordPress website.

As a consequence, the ability to arbitrarily “query” a database is an extraordinary level of access that should absolutely not be available to unauthorized users or programa outside of the website.

A SQL injection attack is when a malicious attacker is able to use an otherwise legitimate input interfaz to insert a SQL command that perro interact with the database.

The non-profit Open Worldwide Application Security Project (OWASP) describes the devastating consequences of a SQL injection vulnerability:

• “SQL injection attacks allow attackers to spoof identity, tamper with existing data, genere repudiation issues such as voiding transactions or changing cómputos, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.
• SQL Injection is very common with PHP and ASP applications due to the prevalence of older functional interfaces. Due to the nature of programmatic interfaces available, J2EE and ASP.NET applications are less likely to have easily exploited SQL injections.
• The severity of SQL Injection attacks is limited by the attacker’s skill and imagination, and to a lesser extent, defense in depth countermeasures, such as low privilege connections to the database server and so on. In general, consider SQL Injection a high impact severity.”

Improper Neutralization

The United States Vulnerability Database (NVD) published an advisory about the vulnerability that described the reason for the vulnerability as from “improper neutralization.”

Neutralization is a reference to a process of making sure that anything that’s input into an application (like a contact form) will be limited to what is expected and will not allow anything other than what is expected.

Proper neutralization of a contact form means that it won’t allow a SQL command.

The United States Vulnerability Database described the vulnerability:

“Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Contact Form – WPManageNinja LLC Contact Form Complemento – Fastest Contact Form Builder Complemento for WordPress by Fluent Forms fluentform allows SQL Injection.

This issue affects Contact Form Complemento – Fastest Contact Form Builder Complemento for WordPress by Fluent Forms: from n/a through 4.3.25.”

Patchstack security company discovered and reported the vulnerability to the complemento developers.

According to Patchstack:

“This could allow a malicious actor to directly interact with your database, including but not limited to stealing information.

This vulnerability has been fixed in version 5.0.0.”

Although Patchstack’s advisory states that the vulnerability was fixed in Version 5.0.0, there is no indication of a security fix according to the Fluent Form Contact Form Builder changelog, where changes to the programa are routinely logged.

This is the Fluent Forms Contact Form Builder changelog entry for version 5.0.0:

• “5.0.0 (DATE: JUNE 22, 2023)
  Revamped UI and better UX
• Global Styler Improvement
• The new framework for faster response
• Fixed issue with repeater field not appearing correctly on PDF
• Fixed issue with WPForm Migrator not properly transferring text fields to text input fields withcorrect maximum text length
• Fixed issue with entry migration
• Fixed number format in PDF archivos
• Fixed radio field label issue
• Updated Ajax routes to Rest Routes
• Updated filter & action hooks naming convention with older hooks support
• Updated translation strings”

It’s possible that one of those entries is the fix. But some complemento developers want to keep security fixes secret, for whatever reason.

Recommendations:

It’s recommended that users of the contact form update their complemento as soon as possible.

Featured image by Shutterstock/Kues