Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-2718: Changeset 2767877 for joomsport-sports-league-results-management – WordPress Plugin Repository

The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to SQL Injection via the ‘orderby’ parameter on the joomsport-page-extrafields page in versions up to, and including, 5.2.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrative privileges, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVE
Open in Source
#sql#vulnerability#js#wordpress#php#auth

Legend:

Unmodified

Added

Removed

  • joomsport-sports-league-results-management/trunk/includes/moderator/joomsport-moder-mday.php

    r2517792

    r2767877

56

56

57

57

        if ( ! empty( $\_REQUEST\['orderby'\] ) ) {

58

 

          $sql .= ' ORDER BY ' . esc\_sql( $\_REQUEST\['orderby'\] );

59

 

          $sql .= ! empty( $\_REQUEST\['order'\] ) ? ' ' . esc\_sql( $\_REQUEST\['order'\] ) : ' ASC';

 

58

            $sql .= ' ORDER BY ' . sanitize\_sql\_orderby( "{$\_REQUEST\['orderby'\]} {$\_REQUEST\['order'\]}" );

 

59

60

60

        }

61

61

        if(!$season\_id){

  • joomsport-sports-league-results-management/trunk/includes/pages/joomsport-page-events.php

    r2679820

    r2767877

34

34

35

35

        if ( ! empty( $\_REQUEST\['orderby'\] ) ) {

36

 

          $sql .= ' ORDER BY ' . esc\_sql( $\_REQUEST\['orderby'\] );

37

 

          $sql .= ! empty( $\_REQUEST\['order'\] ) ? ' ' . esc\_sql( $\_REQUEST\['order'\] ) : ' ASC';

 

36

          //$sql .= ' ORDER BY ' . esc\_sql( $\_REQUEST\['orderby'\] );

 

37

          //$sql .= ! empty( $\_REQUEST\['order'\] ) ? ' ' . esc\_sql( $\_REQUEST\['order'\] ) : ' ASC';

 

38

          $sql .= ' ORDER BY ' . sanitize\_sql\_orderby( "{$\_REQUEST\['orderby'\]} {$\_REQUEST\['order'\]}" );

38

39

        }else{

39

40

            $sql .= ' ORDER BY ordering';

…

…

 

44

45

        $sql .= ' OFFSET ' . ( $page\_number - 1 ) \* $per\_page;

45

46

46

 

 

47

//echo $sql;die();

47

48

        $result = $wpdb->get\_results( $sql, 'ARRAY\_A' );

48

49

…

…

 

113

114

    public function get\_sortable\_columns() {

114

115

        $sortable\_columns = array(

115

 

          'name' => array( 'name', true ),

 

116

          'name' => array( 'e\_name', true ),

116

117

            'player\_event' => array( 'player\_event', true ),

117

118

        );

  • joomsport-sports-league-results-management/trunk/includes/pages/joomsport-page-extrafields.php

    r2540219

    r2767877

31

31

32

32

        if ( ! empty( $\_REQUEST\['orderby'\] ) ) {

33

 

          $sql .= ' ORDER BY ' . esc\_sql( $\_REQUEST\['orderby'\] );

34

 

          $sql .= ! empty( $\_REQUEST\['order'\] ) ? ' ' . esc\_sql( $\_REQUEST\['order'\] ) : ' ASC';

 

33

            $sql .= ' ORDER BY ' . sanitize\_sql\_orderby( "{$\_REQUEST\['orderby'\]} {$\_REQUEST\['order'\]}" );

 

34

35

35

        }

36

36

  • joomsport-sports-league-results-management/trunk/includes/pages/joomsport-page-stages.php

    r2540219

    r2767877

31

31

32

32

        if ( ! empty( $\_REQUEST\['orderby'\] ) ) {

33

 

          $sql .= ' ORDER BY ' . esc\_sql( $\_REQUEST\['orderby'\] );

34

 

          $sql .= ! empty( $\_REQUEST\['order'\] ) ? ' ' . esc\_sql( $\_REQUEST\['order'\] ) : ' ASC';

 

33

          $sql .= ' ORDER BY ' . sanitize\_sql\_orderby( "{$\_REQUEST\['orderby'\]} {$\_REQUEST\['order'\]}" );

 

34

35

35

        }

36

36

…

…

 

92

92

    public function get\_sortable\_columns() {

93

93

        $sortable\_columns = array(

94

 

          'name' => array( 'name', true )

 

94

          'name' => array( 'm\_name', true )

95

95

        );

96

96

  • joomsport-sports-league-results-management/trunk/joomsport.php

    r2761633

    r2767877

4

4

Plugin URI: http://joomsport.com

5

5

Description: Sport league plugin

6

 

Version: 5.2.5

 

6

Version: 5.2.6

7

7

Author: BearDev

8

8

Author URI: http://BearDev.com

  • joomsport-sports-league-results-management/trunk/readme.txt

    r2761633

    r2767877

125

125

\== Changelog ==

126

126

 

127

\= 5.2.6 =

 

128

\* Vulnerabilities found. Critical fixes delivered!

 

129

127

130

\= 5.2.5 =

128

131

\* Minor fixes (paging in matches tab, warnings, notices, etc.)

  • joomsport-sports-league-results-management/trunk/sportleague/classes/objects/class-jsport-player.php

    r2444527

    r2767877

175

175

            $tabs\[$intA\]\['body'\] = '';

176

176

            $this->lists\['pagination'\] = $this->lists\['match\_pagination'\];

177

 

            $tabs\[$intA\]\['text'\] = jsHelper::getMatches($this->lists\['matches'\], $this->lists);

 

177

            $tabs\[$intA\]\['text'\] = '<form>'.jsHelper::getMatches($this->lists\['matches'\], $this->lists, false).'<input type="hidden" name="jscurtab" value="stab\_matches" /><input type="hidden" name="sid" value="'.esc\_attr($this->season\_id).'" /></form>';

178

178

            $tabs\[$intA\]\['class'\] = '';

179

179

            $tabs\[$intA\]\['ico'\] = 'js-match';

Note: See TracChangeset for help on using the changeset viewer.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE