In a bug report that earned a $4,500 bounty from Grab security researcher jouko uncovered a critical SQL Injection vulnerability in the Formidable Pro WordPress plugin used on www.drivegrab.com. This flaw gave unauthorized users read access to the WordPress database revealing sensitive partner data and nearly opened a path to Remote Code Execution (RCE).

Vulnerability Overview

The plugin’s AJAX preview function meant for administrators designing forms was mistakenly exposed to unauthenticated users. It accepted parameters like after_html that could include WordPress shortcodes including the plugin’s [display-frm-data] which could be manipulated to perform SQL Injection through parameters like order_by and order.

Proof of Concept (PoC)

Using cURL, the researcher was able to demonstrate:

curl -s -i 'https://www.drivegrab.com/wp-admin/admin-ajax.php' \
--data 'action=frm_forms_preview&after_html=XXX[display-frm-data id=835 order_by=id limit=1 order=zzz]YYY'