All In One Redirection < 2.2.0 – Admin+ SQLi | CVE 2023-2493 | Plugin Vulnerabilities

Description

The plugin does not properly sanitise and escape multiple parameters before using them in an SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.

Proof of Concept

When adding a redirection, `source_url_insert` is vulnerable with the payload: `source_url_insert =%2ftest.html'%2b(select*from(select(sleep(8)))a)%2b'`

When deleting a redirect, `check_delete_btns` is vulnerable with the payload: `check_delete_btns%5B%5D=(select*from(select(sleep(20)))a

Adding the payload to the affected parameters results in the execution of the SQL query.

Affects Plugins

all-in-one-redirection

Fixed in 2.2.0

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Chien Vuong

Submitter

Chien Vuong

Verified

Yes

WPVDB ID

a9a205a4-eef9-4f30-877a-4c562930650c

Timeline

Publicly Published

2023-06-19 (about 2 years ago)

Added

2023-06-19 (about 2 years ago)

Last Updated

2023-06-19 (about 2 years ago)

Other

Published

Title

Published

2024-05-01

Title

WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting < 1.13.2 - Authenticated (AccountingManager+) SQL Injection

Published

2024-12-20

Title

Frontend Admin by DynamiApps < 3.25.2 - Unauthenticated SQL Injection

Published

2022-03-21

Title

Podcast Importer SecondLine < 1.3.8 - Admin+ SQLi

Published

2014-08-01

Title

Super CAPTCHA <= 2.2.4 - SQL Injection

Published

2021-07-24

Title

Edit Comments <= 0.3 - Unauthenticated SQL Injection