WP ERP < 1.12.4 – Admin+ SQL Injection | CVE 2023-2744 | Plugin Vulnerabilities

Description

The plugin does not properly sanitise and escape the `type` parameter in the `erp/v1/accounting/v1/people` REST API endpoint before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.

Proof of Concept

Sign in as an admin. In WP Admin, run the following code in the browser console, and notice that it takes several seconds to complete, demonstrating the SQL Injection vulnerability.

await wp.apiRequest({path: `/erp/v1/accounting/v1/people?type=x')+AND+(SELECT+1+FROM+(SELECT+SLEEP(3))x)+AND+('x'%3d'x`});

Affects Plugins

Fixed in 1.12.4

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Arvandy

Submitter

Arvandy

Submitter website

https://arvandy.github.io

Verified

Yes

WPVDB ID

435da8a1-9955-46d7-a508-b5738259e731

Timeline

Publicly Published

2023-06-05 (about 11 months ago)

Added

2023-06-05 (about 11 months ago)

Last Updated

2023-06-05 (about 11 months ago)

Other

Published

Title

Published

2014-08-01

Title

WPtouch 1.9.8 - include/submit.php Multiple Parameter SQL Injection

Published

2023-12-21

Title

Squirrly SEO - Advanced Pack <= 2.3.8 - Authenticated(Administrator+) SQL Injection

Published

2014-08-01

Title

wp audio gallery playlist <= 0.12 - SQL Injection

Published

2014-08-01

Title

Simple Retail Menus 4.0.1 - includes/actions.php targetmenu Parameter SQL Injection

Published

2022-05-02

Title

WP Contacts Manager <= 2.2.4 - Unauthenticated SQLi