SQL Injection in Advance Contact Form 7 DB
As part of our regular research audits for our Sucuri Firewall, we discovered an SQL injection vulnerability affecting 40,000+ users of the Advanced Contact Form 7 DB WordPress plugin.
Current State of the Vulnerability
This plugin saves all Contact Form 7 submissions to the database using a friendly interface. Though the bug has been fixed in the 1.6.1 release, it can be exploited by an attacker who has (at minimum) a subscriber account.