WordPress Plugin WA Form Builder SQL Injection

### Description: Type user access: any user. $_POST[ ‘wa_forms_Id’ ] is not escaped. WAFormBuilder_ui_output() is accessible for any user. ### File / Code: Path: /wp-content/plugins/wa-form-builder/main.php ``` global $wpdb; echo 'SELECT * FROM '.$wpdb->prefix.'wap_wa_form_builder WHERE Id = '.$_REQUEST['wa_forms_Id']; $form_attr = $wpdb->get_row('SELECT * FROM '.$wpdb->prefix.'wap_wa_form_builder WHERE Id = '.$_REQUEST['wa_forms_Id']); $user_fields .= '<table width="100%" cellpadding="3" cellspacing="1" style="background:#e7e7e7; color:#666;">'; foreach($_POST as $key=>$val) { if( $key!='action' && $key!='current_page' && $key!='ajaxurl' && $key!='page_id' && $key!='wa_forms_Id' && $key!='submit' ) { $user_fields .= '<tr>'; $user_fields .= ' <td bgcolor="#f2f2f2" width="20%">'.IZC_Functions::unformat_name(str_replace('dynamic_forms','',$key)).'</td> <td bgcolor="#FFFFFF" >'.IZC_Functions::unformat_name($val).'</td>'; $user_fields .= '</tr>'; $insert = $wpdb->insert($wpdb->prefix.'wap_wa_form_meta', array( 'wa_form_builder_Id'=>$_REQUEST['wa_forms_Id'], 'meta_key'=>$key, 'meta_value'=>$val, 'time_added' => mktime() ) ); } } ``` ### Proof of Concept: 1 – The url of target is url that have form. So will find form in system. 2 – Send Post for: Result:  target => http://target/2016/11/21/PostWithformOfPlugin/ post or get=>