WordPress Plugin Vulnerabilities

Gallery by BestWebSoft < 4.7.0 - Author+ SQL Injection

Description

The plugin does not properly escape values used in SQL queries, leading to an Blind SQL Injection vulnerability. The attacker must have at least the privileges of an Author, and the vendor's Slider plugin (https://wordpress.org/plugins/slider-bws/) must also be installed for this vulnerability to be exploitable.

Proof of Concept

1. Ensure the "Slider by BestWebSoft" plugin is also installed (https://wordpress.org/plugins/slider-bws/)
2. Go to Galleries > Add New.
3. Click "Add Media" and choose or upload an image.
4. When publishing (or updating) the Gallery, intercept the request and change the POST parameter with name `_gallery_order_12%5B13%5D` (note the `12` and `13` are ID's and will be different in each case). Change the inner ID (the `13` in this example) to the following: `%27%20UNION%20%28SELECT%20IF%281%3D1%2CSLEEP%2810%29%2CSLEEP%285%29%29%29%23`
5. Click on the Settings tab, and click the "Create New Slider" button.
6. Note the request takes 10 seconds, demonstrating the blind SQLi.

Affects Plugins

Plugin icon
gallery-plugin
Fixed in 4.7.0

References

CVE
CVE-2023-0765

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
5.8 (medium)

Miscellaneous

Original Researcher
dc11
Submitter
dc11
Verified
Yes
WPVDB ID
2699cefa-1cae-4ef3-ad81-7f3db3fcce25

Timeline

Publicly Published
2023-03-27 (about 1 years ago)
Added
2023-03-27 (about 1 years ago)
Last Updated
2023-03-27 (about 1 years ago)

Other

Published
Title
Published
2018-02-25
Title
WP Support Plus Responsive Ticket System < 9.0.3 - Multiple Authenticated SQL Injection
Published
2022-11-17
Title
Buddybadges <= 1.0.0 - Admin+ SQLi
Published
2021-10-11
Title
Pie Register < 3.7.1.6 - Unauthenticated SQL Injection
Published
2022-12-08
Title
Qe SEO Handyman <= 1.0 - Admin+ SQLi
Published
2017-10-03
Title
Relevanssi <= 3.6.0 - Authenticated Admin SQL Injection