Wp Forms Connector
Monthly
Information disclosure in the WP Forms Connector WordPress plugin (versions through 1.8) allows unauthenticated remote attackers to retrieve any user's password hash and email address via the wp/v3/user/list/<id> REST route. The endpoint's permission_callback is hard-coded to __return_true and the bespoke auth check verifies only that the Username header maps to an administrator (typically 'admin') without ever calling wp_check_password() to validate the supplied Password header. No public exploit identified at time of analysis, but the trivial nature of the bypass and the exposure of user_pass hashes make this a credible account-takeover vector.
SQL injection in the WP Forms Connector WordPress plugin (versions up to and including 1.8) allows unauthenticated remote attackers to extract sensitive database contents via the 'order' parameter of the /wp-json/wp/v3/post/list REST endpoint. The endpoint is exposed with permission_callback '__return_true' and only validates a 'Username' header against an administrator account without verifying the corresponding 'Password', making the authentication check trivially bypassable. No public exploit identified at time of analysis, but the trivial bypass and unsanitized ORDER BY concatenation make weaponization straightforward.
Information disclosure in the WP Forms Connector WordPress plugin (versions through 1.8) allows unauthenticated remote attackers to retrieve any user's password hash and email address via the wp/v3/user/list/<id> REST route. The endpoint's permission_callback is hard-coded to __return_true and the bespoke auth check verifies only that the Username header maps to an administrator (typically 'admin') without ever calling wp_check_password() to validate the supplied Password header. No public exploit identified at time of analysis, but the trivial nature of the bypass and the exposure of user_pass hashes make this a credible account-takeover vector.
SQL injection in the WP Forms Connector WordPress plugin (versions up to and including 1.8) allows unauthenticated remote attackers to extract sensitive database contents via the 'order' parameter of the /wp-json/wp/v3/post/list REST endpoint. The endpoint is exposed with permission_callback '__return_true' and only validates a 'Username' header against an administrator account without verifying the corresponding 'Password', making the authentication check trivially bypassable. No public exploit identified at time of analysis, but the trivial bypass and unsanitized ORDER BY concatenation make weaponization straightforward.