WordPress Plugin Vulnerabilities

Export any WordPress data to XML/CSV < 1.3.5 - Admin+ SQL Injection

Description

The plugin does not sanitize the cpt POST parameter when exporting post data before using it in a database query, leading to an SQL injection vulnerability.

Proof of Concept

1. Go to the All Export > New Export screen in the WordPress admin.
2. Now click on Specific Post Type > Posts.
3. Click now on Migrate Posts and intercept this request and look for the name cpt:

Content-Disposition: form-data; name="cpt"
post

Change it to:

Content-Disposition: form-data; name="cpt"
post'+(select*from(select(sleep(10)))a)+'

Now you will see a later response of 10 seconds, thus confirming the authenticity of the sqli vulnerability.

Affects Plugins

Plugin icon
wp-all-export
Fixed in 1.3.5

References

CVE
CVE-2022-1800
URL
https://www.hackpertise.com/cve/37-cve-2022-1800/

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Asif Nawaz Minhas
Submitter
Asif Nawaz Minhas
Verified
Yes
WPVDB ID
4267109c-0ca2-441d-889d-fb39c235f128

Timeline

Publicly Published
2022-05-20 (about 1 years ago)
Added
2022-05-20 (about 1 years ago)
Last Updated
2023-02-13 (about 1 years ago)

Other

Published
Title
Published
2023-12-21
Title
Advanced Form Integration < 1.76.0 - Authenticated(Administrator+) SQL Injection
Published
2020-11-24
Title
Media Library Assistant < 2.90 - Authenticated Blind SQL Injection
Published
2023-12-21
Title
Login Lockdown < 2.07 - Admin+ SQLi
Published
2014-08-01
Title
IndiaNIC FAQs Manager 1.0 - Blind SQL Injection
Published
2024-03-20
Title
Avada < 7.11.7 - Authenticated (Admin+) SQL Injection via entry