CVE-2024-0685: 
WordPress vulnerability analysis and mitigation

The Ninja Forms Contact Form Plugin for WordPress is vulnerable to Second Order SQL Injection (CVE-2024-0685) in versions up to and including 3.7.1. The vulnerability was discovered on January 17, 2024, and affects over 800,000 active installations. The issue exists in the email address value handling during form submissions, where insufficient escaping of user-supplied parameters and inadequate SQL query preparation create a security risk (Stealthcopter Blog, NVD).

The vulnerability occurs in the get_subs_by_email function when processing data export requests. The function directly inserts user-provided email addresses into a raw SQL statement without proper sanitization. According to RFC 5322, email addresses can contain special characters including single quotes, which can be exploited to escape string boundaries in SQL queries. Attackers can craft malicious email addresses using SQL comments (/**/) to separate keywords and inject arbitrary SQL commands. The vulnerability has received a CVSS v3.1 base score of 5.9 (Medium) from Wordfence, while NIST assigned it a score of 9.8 (Critical) (NVD, Stealthcopter Blog).

When exploited, this vulnerability allows unauthenticated attackers to inject SQL code through their email address that will execute when an administrator triggers a personal data export. This can result in unauthorized access to all user data stored in the forms, posing significant privacy and security risks, particularly concerning GDPR compliance (Stealthcopter Blog).

The vulnerability has been patched in version 3.7.2 of the Ninja Forms plugin, released on January 29, 2024. Users are strongly advised to update to this version or later to protect against this vulnerability (Stealthcopter Blog).