CP Image Store with Slideshow < 1.0.68 – Unauthenticated SQLi | CVE 2022-1692 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape the ordering_by query parameter before using it in a SQL statement in pages where the [codepeople-image-store] is embed, allowing unauthenticated users to perform an SQL injection attack

Proof of Concept

On a page where the [codepeople-image-store] is embed, append the following payload ordering_by=post_author+and+sleep(5)

e.g: https://example.com/?cpis_image=test&ordering_by=post_author+and+sleep(5)

Affects Plugins

Fixed in 1.0.68

References

CVE

URL

https://bulletin.iese.de/post/cp-image-store_1-0-67

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Daniel Krohmer (Fraunhofer IESE, Germany), Shi Chen (University of Kaiserslautern, Germany)

Submitter

Daniel Krohmer

Submitter website

https://iese.fraunhofer.de/en.html

Verified

Yes

WPVDB ID

83bae80c-f583-4d89-8282-e6384bbc7571

Timeline

Publicly Published

2022-05-09 (about 3 years ago)

Added

2022-05-12 (about 3 years ago)

Last Updated

2022-05-14 (about 3 years ago)

Other

Published

Title

Published

2025-02-24

Title

Yawave <= 2.9.1 - Unauthenticated SQL Injection

Published

2024-04-22

Title

ARforms < 6.4.1 - Authenticated (Subscriber+) SQL Injection

Published

2024-07-04

Title

Youzify < 1.2.6 - Authenticated (Contributor+) SQL Injection

Published

2020-06-07

Title

Events Manager < 5.9.8 - Admin+ SQL Injection

Published

2025-08-20

Title

Listeo-Core <= 1.9.32 - Authenticated (Subscriber+) SQL Injection