WordPress Plugin Vulnerabilities
5 Stars Rating Funnel < 1.2.53 - Unauthenticated SQLi
Description
The plugin does not properly sanitise, validate and escape lead ids before using them in a SQL statement via the rrtngg_delete_leads AJAX action, available to unauthenticated users, leading to an unauthenticated SQL injection issue. There is an attempt to sanitise the input, using sanitize_text_field(), however such function is not intended to prevent SQL injections.
Proof of Concept
Create a new funnel (All Rating Funnels sub-menu) Create a new lead (Leads / Feedbacks sub-menu) Invoke the following curl command to trigger a 5 second sleep curl https://example.com/wp-admin/admin-ajax.php --data 'action=rrtngg_delete_leads&lead_ids[]=(SELECT SLEEP(5))) AND 1=1 #'
Affects Plugins
References
CVE
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
cydave
Submitter
cydave
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-03-29 (about 2 years ago)
Added
2022-03-29 (about 2 years ago)
Last Updated
2022-04-13 (about 2 years ago)