Home Tools Exploits & CVE's WordPress WP Brutal AI Cross Site Request Forgery / SQL Injection

WordPress WP Brutal AI Cross Site Request Forgery / SQL Injection

July 26, 2023

273

WordPress WP Brutal AI plugin versions prior to 2.0.0 suffer from cross site request forgery and remote SQL injection vulnerabilities.

advisories | CVE-2023-2601

Change Mirror Download

Tittle:
WordPress Plugin WP Brutal AI < 2.0.0 - SQL Injection via CSRF

References:
CVE-2023-2601

Author:
Taurus Omar 

Description:
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by admin via CSRF.

Affects Plugins:
WP Brutal AI - Fixed in version 2.0.0

Proof of Concept:

When there is a created campaign, access the following link as an admin:

https://example.com/wp-admin/admin.php?page=viewwpbrutalaicampaign&id=1+and+sleep%2815%29 

Classification:
Type SQLi 
OWASP top 10 A1: Sql Injection (SQLi)
CWE-89

wpScan:
https://wpscan.com/vulnerability/57769468-3802-4985-bf5e-44ec1d59f5fd

WordPress WP Brutal AI Cross Site Request Forgery / SQL Injection

Follow us on Instagram @thecyberpost

EDITOR PICKS

ESET NOD32 Antivirus 17.1.11.0 Unquoted Service Path

Doctor Appointment Management System 1.0 Cross Site Scripting

Kemp LoadMaster Unauthenticated Command Injection

POPULAR POSTS

Restaurant Reservation System Patches Easy-to-Exploit XSS Bug

Sniffle – A Sniffer For Bluetooth 5 And 4.X LE

Domhttpx – A Google Search Engine Dorker With HTTP Toolkit Built...

POPULAR CATEGORY

Backdoor.Win32.Small.er Code Execution

Online Admission System 1.0 Remote Code Execution

BBAM 1.1 Insecure Direct Object Reference