Import all XML, CSV & TXT into WordPress < 6.5.8 – Admin+ SQLi | CVE 2022-3243 | Plugin Vulnerabilities

Description

The plugin does not properly sanitise and escape imported data before using them back SQL statements, leading to SQL injection exploitable by high privilege users such as admin

Proof of Concept

With the additional https://wordpress.org/plugins/polylang/ plugin installed, import a CSV with the following payload in the language_code column: en' union select if(user_login='wordpress',sleep(5),null) from wp_users#

Affects Plugins

wp-ultimate-csv-importer

Fixed in 6.5.8

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Sanjay Das

Submitter

Sanjay Das

Submitter website

https://p3n7a90n.github.io/

Submitter twitter

Verified

Yes

WPVDB ID

9f03bc1a-214f-451a-89fd-2cd3517e8f8a

Timeline

Publicly Published

2022-09-20 (about 1 years ago)

Added

2022-09-20 (about 1 years ago)

Last Updated

2022-09-20 (about 1 years ago)

Other

Published

Title

Published

2019-04-11

Title

Advanced Contact form 7 DB <= 1.6.0 - Authenticated SQL Injection

Published

2023-11-03

Title

RSVPMarker < 10.6.7 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Published

2023-12-21

Title

Squirrly SEO - Advanced Pack <= 2.3.8 - Authenticated(Administrator+) SQL Injection

Published

2021-06-29

Title

Secure Copy Content Protection and Content Locking < 2.6.7 - Authenticated Blind SQL Injections

Published

2014-08-01

Title

Comment Control 0.3.0 - comment-control.php type Parameter SQL Injection