WordPress Plugin Vulnerabilities
Advanced Booking Calendar < 1.7.0 - Unauthenticated SQL Injection
Description
The plugin does not validate and escape the calendar parameter before using it in a SQL statement via the abc_booking_getSingleCalendar AJAX action (available to both unauthenticated and authenticated users), leading to an unauthenticated SQL injection
Proof of Concept
1. Install the vulnerable plugin (advanced-booking-calendar version 1.6.9) 2. Create a new calendar (the specific configuration shouldn't matter - we just need the shortcode) 3. Create a new page with the shortcode you receive when you finish creating a calendar 4. Visit the just created page and extract the nonce (search for abc_nonce in the source) 5. Invoke the following command to induce a 5 second sleep curl -i http://example.com/wp-admin/admin-ajax.php --data 'action=abc_booking_getSingleCalendar&abc_nonce=7d55255d19&uniqid=620ff6dacd7f8&month=3&calendar=(SELECT 4061 FROM (SELECT(SLEEP(5)))GjRo)' Note: + "abc_nonce" is the required nonce + "uniqid" can be a random string + "month" should be provided and be a valid int (a month in a year) + "calendar" is the injection point
Affects Plugins
Fixed in 1.7.0 References
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
cydave
Submitter
cydave
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-02-28 (about 2 years ago)
Added
2022-02-28 (about 2 years ago)
Last Updated
2022-04-16 (about 2 years ago)
WPScan 