WordPress Plugin Vulnerabilities

CommonsBooking < 2.6.8 - Unauthenticated SQL Injection

Description

The plugin does not sanitise and escape the location parameter of the calendar_data AJAX action (available to unauthenticated users) before it is used in dynamically constructed SQL queries, leading to an unauthenticated SQL injection

Proof of Concept

Create an "item" and a "location" via the newly added commonsbooking admin menu
Take note of the item id and location id as they may be required for the exploit to work reliably
Invoke the following curl command to trigger a 5 second sleep (via "location" parameter):

curl http://127.0.0.1:8080/wp-admin/admin-ajax.php --data 'action=calendar_data&sd=2099-02-13&ed=2099-02-13&item=1&location=(SELECT 1743 FROM (SELECT(SLEEP(5)))iXxL3)'

Note: 
+ "sd" and "ed" are dates which should be in the future.
+ "item" should correspond to the item id you created previously (other values may work)
+ "location" is the injection point.

Affects Plugins

Plugin icon
commonsbooking
Fixed in 2.6.8

References

CVE
CVE-2022-0658

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
8.6 (high)

Miscellaneous

Original Researcher
cydave
Submitter
cydave
Submitter website
https://cyllective.com/
Submitter twitter
cyllective
Verified
Yes
WPVDB ID
d7f0805a-61ce-454a-96fb-5ecacd767578

Timeline

Publicly Published
2022-02-21 (about 2 years ago)
Added
2022-02-21 (about 2 years ago)
Last Updated
2022-04-12 (about 2 years ago)

Other

Published
Title
Published
2021-10-07
Title
Schreikasten <= 0.14.18 - Author+ SQL Injections
Published
2022-11-21
Title
Icegram Express < 5.5.1 - Subscriber+ SQLi
Published
2022-08-01
Title
NEX-Forms < 7.9.7 - Authenticated SQLi
Published
2023-11-09
Title
MainWP < 4.4.3.4 - Authenticated (Administrator+) SQL Injection
Published
2015-03-18
Title
Easy Digital Downloads < 2.3.3 - SQL Injection