The popular Fluent Forms Contact Form Builder plugin for WordPress, with over 300,000 installations, was discovered to contain a SQL Injection vulnerability that could allow database access to hackers. The vulnerability was patched in June but was just announced by the National Vulnerability Database on November 3, 2023.
Fluent Forms Contact Form Builder
Fluent Forms Contact Form Builder is one of the most popular contact forms for WordPress, with over 300,000 installations. Its drag-and-drop interface makes creating custom contact forms easy so that users don’t have to learn how to code. The ability to use the plugin to create virtually any kind of input form makes it a top choice. Users can leverage the plugin to create subscription forms, payment forms, and forms for creating quizzes. Plus, it integrates with third-party applications like MailChimp, Zapier, and Slack. Importantly, it also has a native analytics capability. This incredible flexibility makes Fluent Forms a top choice because users can accomplish so much with just one plugin.
Input Neutralization
Every plugin that allows site visitors to input data directly into the database, especially contact forms, must process those inputs to ensure they do not inadvertently allow hackers to input scripts or SQL commands that allow malicious users to make unexpected changes. This particular vulnerability makes the Fluent Forms plugin open to a SQL injection vulnerability which is particularly bad if a hacker is successful in their attempts.
SQL Injection Vulnerability
SQL, which means Structured Query Language, is a language used for interacting with databases. A SQL query is a command for accessing, changing, or organizing data that’s stored in a database. A database is what contains everything that is used to create a WordPress website, such as passwords, content, themes, and plugins. The database is the heart and brain of a WordPress website. As a consequence, the ability to arbitrarily “query” a database is an extraordinary level of access that should absolutely not be available to unauthorized users or software outside of the website.
A SQL injection attack is when a malicious attacker is able to use an otherwise legitimate input interface to insert a SQL command that can interact with the database. The non-profit Open Worldwide Application Security Project (OWASP) describes the devastating consequences of a SQL injection vulnerability:
- “SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.
- SQL Injection is very common with PHP and ASP applications due to the prevalence of older functional interfaces. Due to the nature of programmatic interfaces available, J2EE and ASP.NET applications are less likely to have easily exploited SQL injections.
- The severity of SQL Injection attacks is limited by the attacker’s skill and imagination, and to a lesser extent, defense in depth countermeasures, such as low privilege connections to the database server and so on. In general, consider SQL Injection a high impact severity.”
Improper Neutralization
The United States Vulnerability Database (NVD) published an advisory about the vulnerability that described the reason for the vulnerability as from “improper neutralization.” Neutralization is a reference to a process of making sure that anything that’s input into an application (like a contact form) will be limited to what is expected and will not allow anything other than what is expected. Proper neutralization of a contact form means that it won’t allow a SQL command.
The United States Vulnerability Database described the vulnerability:
“Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Contact Form – WPManageNinja LLC Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms fluentform allows SQL Injection.
This issue affects Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms: from n/a through 4.3.25.”
Patchstack security company discovered and reported the vulnerability to the plugin developers.
According to Patchstack:
“This could allow a malicious actor to directly interact with your database, including but not limited to stealing information.
This vulnerability has been fixed in version 5.0.0.”
Although Patchstack’s advisory states that the vulnerability was fixed in Version 5.0.0, there is no indication of a security fix according to the Fluent Form Contact Form Builder changelog, where changes to the software are routinely logged.
This is the Fluent Forms Contact Form Builder changelog entry for version 5.0.0:
- “5.0.0 (DATE: JUNE 22, 2023)
- Revamped UI and better UX
- Global Styler Improvement
- The new framework for faster response
- Fixed issue with repeater field not appearing correctly on PDF
- Fixed issue with WPForm Migrator not properly transferring text fields to text input fields with correct maximum text length
- Fixed issue with entry migration
- Fixed number format in PDF files
- Fixed radio field label issue
- Updated Ajax routes to Rest Routes
- Updated filter & action hooks naming convention with older hooks support
- Updated translation strings”
It’s possible that one of those entries is the fix. But some plugin developers want to keep security fixes secret, for whatever reason.
Recommendations:
It’s recommended that users of the contact form update their plugin as soon as possible.
Featured image by Shutterstock/Kues