CVE-2019-10866
published 2019-05-23CVE-2019-10866: In the Form Maker plugin before 1.13.3 for WordPress, it's possible to achieve SQL injection in the function get_labels_parameters in the file…
PriorityP262critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
6.21%
92.6th percentile
In the Form Maker plugin before 1.13.3 for WordPress, it's possible to achieve SQL injection in the function get_labels_parameters in the file form-maker/admin/models/Submissions_fm.php with a crafted value of the /models/Submissioc parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 10web | form_maker | < 1.13.3 | 1.13.3 |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://localhost/wordpress/wp-admin/admin.php?page=submissions_fm&task=display¤t_id=2&order_by=group_id&asc_or_desc=↗
command,(case+when+(select+ascii(substring(user_pass,<N>,<N>))+from+wp_users+where+id%3d1)%3d<ORD>+then+(select+sleep(<TIME>)+from+wp_users+limit+1)+else+2+end)+asc%3b↗
- →Monitor GET requests to wp-admin/admin.php with query parameters page=submissions_fm and asc_or_desc containing SQL time-based blind injection payloads (e.g., CASE/WHEN/SLEEP constructs, URL-encoded SQL keywords such as %3d, %3b, +select+, +sleep+). ↗
- →The vulnerable injection point is the asc_or_desc parameter in the submissions_fm admin page; alert on any non-standard values (anything other than 'asc' or 'desc') in this parameter. ↗
- →Time-based blind SQLi exploitation pattern: repeated requests to the same endpoint with incrementing substring index values and measurable response delays (~0.5s threshold) indicate automated password enumeration from wp_users table. ↗
- →Exploit requires an authenticated WordPress admin session; correlate suspicious wp-login.php POST events immediately followed by anomalous submissions_fm GET requests with SQL-like asc_or_desc values. ↗
- ·The exploit targets versions before 1.13.3 of the Form Maker plugin; the NVD description references 1.13.3 as the fixed version boundary — ensure plugin version is confirmed before applying detections. ↗
- ·The exploit requires authenticated access (WordPress admin credentials); unauthenticated exploitation is not demonstrated, so detections should focus on authenticated admin sessions. ↗
- ·The PoC uses a hardcoded TIME threshold of 0.5 seconds for sleep-based detection; real-world attackers may tune this value, so time-based detection rules should use a range rather than a fixed threshold. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2019-05-23
Published