Groundhogg Contacts < 2.7.9.4 – Admin+ SQLi | CVE 2023-1425 | Plugin Vulnerabilities

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admins

Proof of Concept

1. Login as a WordPress administrator or any of the custom roles from GroundHogg

2. Navigate to the URL: 
/wp-admin/admin.php?page=gh_contacts&orderby=first_name%2C+(CASE+WHEN+(SELECT+SLEEP(5)%3D1)+THEN+1+END)&order=asc

3. The web server will wait 5 seconds before responding indicating the sleep function is being run by the database.

Affects Plugins

Fixed in 2.7.9.4

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

rSolutions Security Team

Submitter

rSolutions Security Team

Submitter website

https://rsolutions.com

Verified

Yes

WPVDB ID

578f4179-e7be-4963-9379-5e694911b451

Timeline

Publicly Published

2023-03-20 (about 1 years ago)

Added

2023-03-20 (about 1 years ago)

Last Updated

2023-03-20 (about 1 years ago)

Other

Published

Title

Published

2022-03-08

Title

Slide Anything < 2.3.41 - Contributor+ SQLi

Published

2023-12-21

Title

Post SMTP < 2.8.7 - Admin+ SQL Injection

Published

2022-05-23

Title

KiviCare < 2.3.9 - Unauthenticated SQLi

Published

2023-09-18

Title

wpDiscuz < 7.6.6 - Unauthenticated SQL Injection

Published

2023-04-19

Title

Booking calendar, Appointment Booking System < 3.2.8 - Admin+ SQLi