The popular Fluent Forms Contact Form WordPress Plugin for WordPress, with over 300,000 installations, was discovered to contain a SQL Injection vulnerability that could allow database access to hackers. The vulnerability may have been patched in June but it was just announced on November 3, 2023.
Fluent Forms Contact Form Builder
Fluent Forms Contact Form Builder is one of the most popular contact forms for WordPress, with over 300,000 installations.
Its drag-and-drop interface makes creating custom contact forms easy so that users don’t have to learn how to code. The ability to use the plugin to create virtually any kind of input form makes it a top choice.
Users can leverage the plugin to create subscription forms, payment forms, and forms for creating quizzes. Plus it integrates with third party applications like MailChimp, Zapier and Slack.
Importantly, it also has a native analytics capability.
This incredible flexibility makes Fluent Forms a top choice because users can accomplish so much with just one plugin.
Every plugin that allows site visitors to input data directly into the database, especially contact forms, must process those inputs so that they do not inadvertently allow hackers to input scripts or SQL commands that allows malicious users to make unexpected changes.
This particular vulnerability makes the Fluent Forms plugin open to a SQL injection vulnerability which is particularly bad if a hacker is successful in their attempts.
SQL Injection Vulnerability
SQL, which means Structured Query Language, is a language used for interacting with databases.
A SQL query is a command for accessing, changing or organizing data that’s stored in a database.
A database is what contains everything that is used to create a WordPress website, such as passwords, content, themes and plugins.
The database is the heart and brain of a WordPress website.
As a consequence, the ability to arbitrarily “query” a database is an extraordinary level of access that should absolutely not be available to unauthorized users or software outside of the website.
A SQL injection attack is when a malicious attacker is able to use an otherwise legitimate input interface to insert a SQL command that can interact with the database.
The United States Vulnerability Database (NVD) published an advisory about the vulnerability that described the reason for the vulnerability as from “improper neutralization.”
Neutralization is a reference to a process of making sure that anything that’s input into an application (like a contact form) will be limited to what is expected and will not allow anything other than what is expected.
Proper neutralization of a contact form means that it won’t allow a SQL command.
Patchstack security company discovered and reported the vulnerability to the plugin developers.
Although Patchstack’s advisory states that the vulnerability was fixed in Version 5.0.0, there is no indication of a security fix according to the Fluent Form Contact Form Builder changelog, where changes to the software are routinely logged.
It’s possible that one of those entries is the fix. But some plugin developers want to keep security fixes secret, for whatever reason.