$4,500 Bounty: SQL Injection in WordPress Plugin Leads to PII Exposure at Grab
1 min read
Summary
An unidentified security researcher, jouko, discovered a critical SQL injection vulnerability in the Formidable Pro WordPress plugin, which was rewarded with a $4,500 bounty from Grab.
Jouko discovered that the plugin’s AJAX preview function, designed for administrators designing forms, was mistakenly available to unauthorised users, exposing sensitive partner data.
The vulnerability could have also provided a path to remote code execution through the unauthorised user accessing the WordPress database.
The researcher was able to demonstrate the vulnerability through cURL, illustrating how an attacker could gain access.