WordPress Plugin Vulnerabilities

Web Invoice <= 2.1.3 - Authenticated SQLi

Description

The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL Injection exploitable by high privilege users such as admin by default. However, depending on the plugin configuration, other users, such as subscriber could exploit this as well

Proof of Concept

When logged in with a user allowed to Manage invoice (default admin but can be changed via the plugin's settings), open the following URL

https://example.com/wp-admin/admin.php?page=new_web_invoice&invoice_id=31618572+AND+(SELECT+5926+FROM+(SELECT(SLEEP(5)))erUA)&web_invoice_action=clear_log

Affects Plugins

Plugin icon
web-invoice
No known fix

References

CVE
CVE-2022-4371
URL
https://bulletin.iese.de/post/web-invoice_2-1-3_1

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.7 (high)

Miscellaneous

Original Researcher
Daniel Krohmer, Kunal Sharma
Submitter
Daniel Krohmer
Submitter website
https://www.iese.fraunhofer.de/en.html
Verified
Yes
WPVDB ID
45f43359-98c2-4447-b51b-2d466bad8261

Timeline

Publicly Published
2022-12-12 (about 11 months ago)
Added
2022-12-12 (about 11 months ago)
Last Updated
2022-12-12 (about 11 months ago)

Other

Published
Title
Published
2014-08-01
Title
plugin WP-Forum 1.7.4 - Remote SQL Injection
Published
2014-08-01
Title
WP RSS Poster 1.0.0 - wp-admin/admin.php wrp-add-new Page id Parameter SQL Injection
Published
2015-08-26
Title
Car Rental System <= 3.0 - SQL Injection
Published
2016-09-11
Title
MailPoet Newsletters <= 2.7.2 - SQL Injection
Published
2020-02-10
Title
Participants Database < 1.9.5.6 - Authenticated Time Based SQL Injection