Personal Dictionary < 1.3.4 – Unauthenticated SQLi | CVE 2022-1013

Description

The plugin fails to properly sanitize user supplied POST data before it is being interpolated in an SQL statement and then executed, leading to a blind SQL injection vulnerability.

Proof of Concept

1. Create a new page with the plugin's shortcode (shortcode can be copied from /wp-admin/admin.php?page=personal-dictionary)
2. Visit the page (as admin) with the shortcode and create a new group (any name is fine)
3. Click on the created group and add a new word to it (the word and it's translation don't matter) - then hit save and close
4. Invoke the following curl command to induce a 5 second sleep:

curl 'http://127.0.0.1:8080/wp-admin/admin-ajax.php' --data 'action=ays_pd_ajax&function=ays_pd_game_find_word&groupsIds[]=1) AND (SELECT 3892 FROM (SELECT(SLEEP(5)))pFvo)-- P'