Login Sign Up

CVE-2015-9301

9.8 CRITICAL
SQL Injection

📋 TL;DR

CVE-2015-9301 is a SQL injection vulnerability in the LiveForms WordPress plugin that allows attackers to execute arbitrary SQL commands. This affects WordPress sites using LiveForms plugin versions before 3.2.0. Attackers can potentially access, modify, or delete database content.

💻 Affected Systems

Products:
  • WordPress LiveForms plugin
Versions: All versions before 3.2.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with LiveForms plugin installed and activated.

📦 What is this software?

Live Forms by W3eden

View all CVEs affecting Live Forms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full site takeover via privilege escalation.

🟠

Likely Case

Unauthorized data access, modification of form submissions, or extraction of sensitive information from the WordPress database.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing successful exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SQL injection vulnerabilities in WordPress plugins are commonly exploited due to widespread scanning and automated tools.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.2.0

Vendor Advisory: https://wordpress.org/plugins/liveforms/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find LiveForms plugin. 4. Click 'Update Now' if available. 5. If not, download version 3.2.0+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable LiveForms Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate liveforms

Web Application Firewall Rule

all

Block SQL injection patterns targeting LiveForms endpoints

ModSecurity rule: SecRule ARGS "(?i)(union|select|insert|update|delete|drop|create|alter)" "id:1001,phase:2,deny,status:403,msg:'SQLi attempt'"
WAF configuration: Block requests containing SQL keywords to /wp-content/plugins/liveforms/

🧯 If You Can't Patch

  • Remove LiveForms plugin completely if not essential
  • Implement strict input validation and parameterized queries in custom code

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > LiveForms for version number. If version is below 3.2.0, system is vulnerable.

Check Version:

wp plugin list --name=liveforms --field=version

Verify Fix Applied:

Confirm LiveForms plugin version is 3.2.0 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in WordPress or database logs
  • Multiple failed login attempts or form submissions with SQL keywords
  • Unexpected database errors in WordPress debug logs

Network Indicators:

  • HTTP requests to /wp-content/plugins/liveforms/ containing SQL keywords
  • Unusual traffic patterns to form submission endpoints

SIEM Query:

source="web_logs" AND (uri="*liveforms*" AND (query="*union*" OR query="*select*" OR query="*insert*" OR query="*update*" OR query="*delete*"))

📊 Metadata

CVE ID: CVE-2015-9301
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: August 13, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2015-9301, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)