CVE-2024-31077 – Forminator <= 1.29.2 - Authenticated (Admin+) SQL Injection

https://notcve.org/view.php?id=CVE-2024-31077

Forminator prior to 1.29.3 contains a SQL injection vulnerability. If this vulnerability is exploited, a remote authenticated attacker with an administrative privilege may obtain and alter any information in the database and cause a denial-of-service (DoS) condition. Forminator anterior a 1.29.3 contiene una vulnerabilidad de inyección SQL. Si se explota esta vulnerabilidad, un atacante remoto autenticado con privilegios administrativos puede obtener y alterar cualquier información en la base de datos y provocar una condición de denegación de servicio (DoS). The Forminator – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to SQL Injection via the 'order_by' parameter in all versions up to, and including, 1.29.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. • https://jvn.jp/en/jp/JVN50132400 https://wordpress.org/plugins/forminator https://wpmudev.com • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •