CVE-2022-30835

Vulnerability

Wedding Management System v1.0, developed by codeastro.com, contains a SQL injection vulnerability in the /Wedding-Management/admin/budget.php file. The booking_id parameter is unsanitized and directly concatenated into SQL queries, allowing an attacker to inject arbitrary SQL commands. The vulnerability exists in the admin panel, requiring backend login credentials. The affected version is v1.0 [1].

Exploitation

An attacker must have valid admin credentials to access the admin panel. The reference provides a sample login: admin@mail.com/Password@123 [1]. Once authenticated, the attacker can craft a GET request to /Wedding-Management/admin/budget.php?booking_id= with malicious SQL payloads. For example, appending 31%20and%20length(database())%20=%209 to the booking_id parameter enables Boolean-based blind SQL injection to leak the database name. The response length differs based on condition true/false, allowing data extraction [1].

Impact

Successful exploitation allows an authenticated attacker to extract sensitive data from the underlying MySQL database, including administrator credentials and other private information. The attacker can enumerate the database schema, tables, and records. The impact is limited to data confidentiality and integrity compromise within the application's database; no remote code execution is indicated [1].

Mitigation

As of the publication date (2022-05-31), no official patch or updated version has been released by the vendor. The affected version v1.0 remains vulnerable. Workarounds include ensuring strong, unique admin passwords, restricting admin panel access via IP whitelisting or VPN, and implementing web application firewall (WAF) rules to block SQL injection patterns. Users should monitor the vendor's website for updates [1].