Login Sign Up

CVE-2019-17072

9.8 CRITICAL
SQL Injection

📋 TL;DR

This vulnerability allows SQL injection attacks through the all-query-page.php file in the WordPress Contact Form Widget plugin. Attackers can execute arbitrary SQL commands, potentially compromising the entire WordPress database. All WordPress sites using version 1.0.9 of this plugin are affected.

💻 Affected Systems

Products:
  • WordPress Contact Form Widget (new-contact-form-widget)
Versions: 1.0.9
Operating Systems: All operating systems running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects WordPress installations with this specific plugin version installed and activated.

📦 What is this software?

Contact Form Widget by Awplife

View all CVEs affecting Contact Form Widget →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, privilege escalation, remote code execution, and full site takeover.

🟠

Likely Case

Database information disclosure, user data theft, and potential administrative access to WordPress.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, but still significant risk.

🌐 Internet-Facing: HIGH - WordPress sites are typically internet-facing and the exploit is unauthenticated.
🏢 Internal Only: MEDIUM - Internal WordPress sites could still be compromised through internal attackers or lateral movement.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public proof-of-concept code exists, making exploitation straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.0 or later

Vendor Advisory: https://wordpress.org/plugins/new-contact-form-widget/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Contact Form Widget - Contact Query, Form Maker'. 4. Click 'Update Now' if available, or delete and install latest version from WordPress repository.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable the Contact Form Widget plugin until patched

wp plugin deactivate new-contact-form-widget

Remove vulnerable file

linux

Delete the vulnerable all-query-page.php file

rm /path/to/wp-content/plugins/new-contact-form-widget/all-query-page.php

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block SQL injection patterns
  • Restrict database user permissions to minimum required functionality

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Installed Plugins for 'Contact Form Widget - Contact Query, Form Maker' version 1.0.9

Check Version:

wp plugin get new-contact-form-widget --field=version

Verify Fix Applied:

Verify plugin version is 1.1.0 or later in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple requests to all-query-page.php with SQL syntax

Network Indicators:

  • HTTP requests containing SQL injection payloads targeting all-query-page.php

SIEM Query:

source="web_access" AND uri="*all-query-page.php*" AND (request="*UNION*" OR request="*SELECT*" OR request="*INSERT*" OR request="*DELETE*")

📊 Metadata

CVE ID: CVE-2019-17072
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: October 10, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-17072, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)