CVE-2022-0228 PoC — Wordpress Plugin Popup Builder SQL注入漏洞

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-0228.yaml

Associated Vulnerability

Title:Wordpress Plugin Popup Builder SQL注入漏洞 (CVE-2022-0228)
Description:WordPress是Wordpress基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是WordPress开源的一个应用插件。 Wordpress Plugin Popup Builder 中存在SQL注入漏洞，该漏洞源于产品未对管理页面中的orderby 和 order参数中的特殊字符进行有效处理。以下产品及版本受到影响：Wordpress Plugin Popup Builder 4.0.7 之前版本。

Description

The Popup Builder WordPress plugin before 4.0.7 does not validate and properly escape the orderby and order parameters before using them in a SQL statement in the admin dashboard, which could allow high privilege users to perform SQL injection.

File Snapshot


 id: CVE-2022-0228

info:
  name: Popup Builder < 4.0.7 - SQL Injection
  author: r3Y3r53
  severity:

...

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!