WordPress Plugin Vulnerabilities
Personal Dictionary < 1.3.4 - Unauthenticated SQLi
Description
The plugin fails to properly sanitize user supplied POST data before it is being interpolated in an SQL statement and then executed, leading to a blind SQL injection vulnerability.
Proof of Concept
1. Create a new page with the plugin's shortcode (shortcode can be copied from /wp-admin/admin.php?page=personal-dictionary) 2. Visit the page (as admin) with the shortcode and create a new group (any name is fine) 3. Click on the created group and add a new word to it (the word and it's translation don't matter) - then hit save and close 4. Invoke the following curl command to induce a 5 second sleep: curl 'http://127.0.0.1:8080/wp-admin/admin-ajax.php' --data 'action=ays_pd_ajax&function=ays_pd_game_find_word&groupsIds[]=1) AND (SELECT 3892 FROM (SELECT(SLEEP(5)))pFvo)-- P'
Affects Plugins
Fixed in version 1.3.4
References
Classification
Miscellaneous
Original Researcher
cydave
Submitter
cydave
Submitter website
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2022-04-18 (about 7 months ago)
Added
2022-04-18 (about 7 months ago)
Last Updated
2022-04-19 (about 7 months ago)