Title: DB injection Last modified: May 6, 2020 --- # DB injection * Resolved [Roberto Jobet](https://wordpress.org/support/users/robertojobet/) * (@robertojobet) * [6 years, 1 month ago](https://wordpress.org/support/topic/db-injection/) * Hi, * I’ve installed NF in a WP website a few weeks ago. * Today I’ve found that a Russian IP successfully performed a DB injection even if NF was protecting the website… * NF is not supposed to block DB injections? * Best regards Viewing 4 replies - 1 through 4 (of 4 total) * Plugin Author [nintechnet](https://wordpress.org/support/users/nintechnet/) * (@nintechnet) * [6 years, 1 month ago](https://wordpress.org/support/topic/db-injection/#post-12792712) * Yes it is, but injections that are performed from a PHP script, i.e., not if someone connects directly to your DB with its credentials. Could you clarify some points: 1. Do you have the Duplicator plugin installed (or similar plugins that had critical vulnerabilities during the past few months)? 2. What did they change in the DB: post/page content, site options etc? * Thread Starter [Roberto Jobet](https://wordpress.org/support/users/robertojobet/) * (@robertojobet) * [6 years, 1 month ago](https://wordpress.org/support/topic/db-injection/#post-12793021) * Hi, Thanks for your quick reply! I’ve noticed this injection during a malware scan, that found it in website’s DB: * Wamesjeoni WamesjeoniQS [eurlsbc@xxxx.com](https://wordpress.org/support/topic/db-injection/eurlsbc@xxxx.com?output_format=md) xxxx viagra from the uk viagra lavitra viagra [viagra 100mg – viagra softabs viagra uk buy 1 SUBMIT No 39 5.164.203.239 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36 Kinza/4.8.2 [https://www.xxx.com/en/contact/](https://www.xxx.com/en/contact/) 05/ 05/2020 8:29 pm * Investigating further, I’ve found in Sucuri security plugin log file, the following entry: 20:29 system: Flamingo_contact status has been changed (details): ID: 37913, Old status: new, New status: publish, Title: [eurlsbc@xxxx.com](https://wordpress.org/support/topic/db-injection/eurlsbc@xxxx.com?output_format=md) IP: 5.164.203.239 * This entry is related to a plugin (called Flamingo), that is installed in this website. So it seems that the injection came through this plugin… * I’ve checked for any recent vulnerability for this plugin, but I didn’t find anything. I’ve contacted plugin’s developer to investigate further… * I’ve tried to lookup into webserver Apache’s log file, but I don’t find any connection from this IP address yesterday at 8:29 pm…. * How did he succeded to inject the code into website’s DB?! * Thanks for any help - This reply was modified 6 years, 1 month ago by [Steven Stern (sterndata)](https://wordpress.org/support/users/sterndata/). - This reply was modified 6 years, 1 month ago by [Steven Stern (sterndata)](https://wordpress.org/support/users/sterndata/). * Moderator [Steven Stern (sterndata)](https://wordpress.org/support/users/sterndata/) * (@sterndata) * Volunteer Forum Moderator * [6 years, 1 month ago](https://wordpress.org/support/topic/db-injection/#post-12793492) * [@robertojobet](https://wordpress.org/support/users/robertojobet/) Please don’t post phone number, email addresses, or links when you post something like this. This is the 2nd one of these I’ve had to scrub today! * Plugin Author [nintechnet](https://wordpress.org/support/users/nintechnet/) * (@nintechnet) * [6 years, 1 month ago](https://wordpress.org/support/topic/db-injection/#post-12794283) * I don’t really see any issue with that. I’m not familiar with Flamingo, but its description page reads: * > This plugin stores submission data collected through contact forms, which may > include the submitters’ personal information, in the database on the server > that hosts the website. * So what I see is that someone used your contact form to send spam, and Flamingo saved it to the DB. When scanning the DB, your plugin noticed the viagra-related keywords and links, and flagged them. * Did I miss something? Does your site look hacked or everything is as usual? Did you receive any alert or notification from NinjaFirewall? Viewing 4 replies - 1 through 4 (of 4 total) The topic ‘DB injection’ is closed to new replies. * ![](https://ps.w.org/ninjafirewall/assets/icon-256x256.png?rev=976137) * [NinjaFirewall (WP Edition) - Advanced Security Plugin and Firewall](https://wordpress.org/plugins/ninjafirewall/) * [Frequently Asked Questions](https://wordpress.org/plugins/ninjafirewall/#faq) * [Support Threads](https://wordpress.org/support/plugin/ninjafirewall/) * [Active Topics](https://wordpress.org/support/plugin/ninjafirewall/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/ninjafirewall/unresolved/) * [Reviews](https://wordpress.org/support/plugin/ninjafirewall/reviews/) * 4 replies * 3 participants * Last reply from: [nintechnet](https://wordpress.org/support/users/nintechnet/) * Last activity: [6 years, 1 month ago](https://wordpress.org/support/topic/db-injection/#post-12794283) * Status: resolved