WordPress Plugin Vulnerabilities

SupportCandy < 3.1.7 - Subscriber+ SQLi

Description

The plugin does not properly sanitise and escape the `id` parameter for an Agent in the REST API before using it in an SQL statement, leading to an SQL Injection exploitable by users with a role as low as Subscriber.

Proof of Concept

wp-json/supportcandy/v2/agents/234563?id=-1 OR 1%3D(SELECT IF(1%3D1,SLEEP(10),1))

This request is delayed by 10 seconds.

Affects Plugins

Plugin icon
supportcandy
Fixed in 3.1.7

References

CVE
CVE-2023-2719

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.7 (high)

Miscellaneous

Original Researcher
dc11
Submitter
dc11
Verified
Yes
WPVDB ID
d9f6f4e7-a237-49c0-aba0-2934ab019e35

Timeline

Publicly Published
2023-05-22 (about 11 months ago)
Added
2023-05-24 (about 11 months ago)
Last Updated
2023-05-24 (about 11 months ago)

Other

Published
Title
Published
2023-11-23
Title
Porto Theme - Functionality < 2.12.1 - Unauthenticated SQL Injection
Published
2024-02-27
Title
Conversios < 7.0.8 - Subscriber+ SQL Injection via ee_syncProductCategory
Published
2014-08-01
Title
SH Slideshow <= 3.1.4 - SQL Injection
Published
2024-04-22
Title
WP-Recall – Registration, Profile, Commerce & More < 16.26.6 - Authenticated (Contributor+) SQL Injection
Published
2023-10-11
Title
ChatBot < 4.9.1 - Unauthenticated Blind SQL Injection