WordPress Plugin Vulnerabilities

HollerBox < 2.1.4 - Admin+ SQL Injection

Description

The plugin concatenates user input into an SQL query without escaping it first in the plugin's report API endpoint, which could allow administrators in multi-site configuration to leak sensitive information from the site's database.

Proof of Concept

1. Login as admin
2. Make sure HollerBox is installed and activated
3. From the /wp-admin/ page, navigate to HollerBox->Reports. Intercept the subsequent requests with a proxy.
4. Forward requests until the GET request for the following endpoint is intercepted: "/wp-json/hollerbox/report?before=<date>&after=<date>"
5. Modify the URL to be: /wp-json/hollerbox/report?before=&after='+UNION+SELECT+1,SLEEP(5),3,4,'5
6. Forward the request. The application will wait 5 seconds to respond due to the SLEEP(5) SQL function.

Affects Plugins

Plugin icon
holler-box
Fixed in 2.1.4

References

CVE
CVE-2023-2111

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
4.1 (medium)

Miscellaneous

Original Researcher
rSolutions Security Team
Submitter
rSolutions Security Team
Submitter website
https://rsolutions.com
Verified
Yes
WPVDB ID
7a0bdd47-c339-489d-9443-f173a83447f2

Timeline

Publicly Published
2023-05-08 (about 6 months ago)
Added
2023-05-08 (about 6 months ago)
Last Updated
2023-05-08 (about 6 months ago)

Other

Published
Title
Published
2023-05-22
Title
Contact Form Entries < 1.3.1 - SQL Injection
Published
2014-08-01
Title
WP DS FAQ <= 1.3.2 - ajax.php id Parameter SQL Injection
Published
2023-05-30
Title
Tutor LMS < 2.2.1 - Student+ SQL Injection
Published
2015-07-09
Title
WP Statistics <= 9.4 - Authenticated SQL Injection
Published
2022-02-07
Title
RegistrationMagic < 5.0.2.2 - Admin+ SQL Injection