through the WordPress admin interface. An attacker can inject a SQL statement by sending a malicious request to the vulnerable server, then by sending a request with a valid reservation parameter to the vulnerable plugin. An attacker can also exploit this vulnerability by sending a request to an externally hosted WordPress site and then by sending a request with a valid reservation parameter to the vulnerable plugin. Vulnerable installations of the Ketchup Restaurant Reservations WordPress plugin through 1.0.0 do not validate and escape the fields of the reservations table before using them in SQL queries, which could lead to a SQL injection attack if an attacker sends a request to the vulnerable installation with a valid reservation field. Note that this issue does not apply to the reservations table of the Ketchup Restaurant Reservations WordPress plugin through 1.0.0 if it is installed on a different server. Because the fields of the reservations table are not validated and escaped when the table is used in SQL statements, a remote attacker could perform a SQL injection attack by sending a request to the installation of the Ketchup Restaurant Reservations WordPress plugin through 1.0.0 with a valid reservation parameter. Through the use of this vulnerability, an attacker could inject a script into the database of the installation of the Ketchup Restaurant Reservations WordPress plugin through 1.0.0
Credit: https://hackerone.com/reports/228530
CVE-2022-2754
Through the use of this vulnerability, an attacker could inject a script into the database of the Ketchup Restaurant Reservations WordPress plugin through 1.0.0
CVE-2023-2755 through the WordPress admin interface. An attacker can inject a SQL statement by sending a malicious request to the vulnerable server, then by sending a request with a valid reservation parameter to the vulnerable plugin. An attacker can also exploit this vulnerability by sending a request to an externally hosted WordPress site and then by sending a request with a valid reservation parameter to the vulnerable plugin. Vulnerable installations of the Ketchup Restaurant Reservations WordPress plugin through 1.0.0 do not validate and escape the fields of the reservations table before using them in SQL queries, which could lead to a SQL injection attack if an attacker sends a request to the vulnerable installation with a valid reservation field. Note that this issue does not apply to the reservations table of the Ketchup Restaurant Reservations WordPress plugin through 1.0.0 if it is installed on a different server. Because the fields of the reservations table are not validated and escaped when the table is used in SQL statements, a remote attacker could perform a SQL injection attack by sending a request to the installation of the Ketchup Restaurant Reservations WordPress plugin through 1.0.0 with a valid reservation parameter. Through use of this vulnerability, an attacker could inject code into any database on an affected installation or send malicious requests that would execute arbitrary PHP code on behalf of any user of that installation through CSRF techniques exploited via cross-site scripting vulnerabilities such as CVE-2017-7374
Exploiting the vulnerability in WordPress
A vulnerability of the Ketchup Restaurant Reservations WordPress plugin through 1.0.0 allows an attacker to inject a malicious script into the database of the vulnerable installation of the plugin by sending a request that includes a valid reservation parameter to the vulnerable installation of the plugin. The affected plugin is installed on WordPress installations with WP Database for MySQL or MariaDB, which are at risk from this vulnerability.
The following POC demonstrates how an attacker can exploit this vulnerability:
Authentication and Authorization
The vulnerability exists because the Ketchup Restaurant Reservations plugin through 1.0.0 does not require authentication or authorization to edit or delete reservation records. A remote attacker could exploit this vulnerability by providing a valid reservation number to the plugin installation, which would allow them to view uploaded reservation records and make changes to them.
Timeline
Published on: 09/19/2022 14:15:00 UTC
Last modified on: 09/21/2022 06:28:00 UTC