CVE-2022-30830

Vulnerability

A SQL injection vulnerability exists in the admin/feature_edit.php page of Wedding Management System v1.0 [1]. The id parameter in the GET request is directly concatenated into SQL queries without sanitization, allowing an attacker to inject arbitrary SQL. The vulnerable parameter is id in the URL path /Wedding-Management/admin/feature_edit.php?id= [1].

Exploitation

An attacker must have access to the admin panel (likely authenticated). By sending a crafted GET request to the vulnerable endpoint with a malicious id parameter, such as id=-8%20union%20select%201,2,database(),4--+, the attacker can perform UNION-based SQL injection [1]. No additional user interaction is required.

Impact

Successful exploitation allows an attacker to retrieve sensitive data from the underlying database, as demonstrated by extracting the database name dbwedding [1]. This could lead to disclosure of user credentials, personal information, and other application data, compromising confidentiality and potentially leading to further attacks.

Mitigation

No official patch has been released by the vendor. Mitigation requires implementing parameterized queries or prepared statements for all database interactions, and sanitizing user inputs. Additionally, restrict access to the admin panel and apply the principle of least privilege. Users should monitor for updates from the vendor.