WP ERP < 1.12.4 – Admin+ SQL Injection | CVE 2023-2744 | Plugin Vulnerabilities

Description

The plugin does not properly sanitise and escape the `type` parameter in the `erp/v1/accounting/v1/people` REST API endpoint before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.

Proof of Concept

Sign in as an admin. In WP Admin, run the following code in the browser console, and notice that it takes several seconds to complete, demonstrating the SQL Injection vulnerability.

await wp.apiRequest({path: `/erp/v1/accounting/v1/people?type=x')+AND+(SELECT+1+FROM+(SELECT+SLEEP(3))x)+AND+('x'%3d'x`});

Affects Plugins

Fixed in 1.12.4

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Arvandy

Submitter

Arvandy

Submitter website

https://arvandy.github.io

Verified

Yes

WPVDB ID

435da8a1-9955-46d7-a508-b5738259e731

Timeline

Publicly Published

2023-06-05 (about 2 years ago)

Added

2023-06-05 (about 2 years ago)

Last Updated

2023-06-05 (about 2 years ago)

Other

Published

Title

Published

2019-07-18

Title

Everest Forms < 1.5.0 - SQL Injection

Published

2024-10-18

Title

SW Contact Form <= 1.0 - Authenticated (Subscriber+) SQL Injection

Published

2018-01-10

Title

Smooth Slider <= 2.8.6 - Authenticated SQL Injection

Published

2024-02-09

Title

RSS Aggregator by Feedzy < 4.4.3 - Authenticated(Contributor+) SQL Injection

Published

2018-05-27

Title

Membermouse < 2.2.9 - Blind SQL Injection