Complianz (Free < 6.3.4, Premium < 6.3.6) – Translator SQLi | CVE 2022-3494

Description

The plugins allow a translators to inject arbitrary SQL through an unsanitized translation. SQL can be injected through an infected translation file, or by a user with a translator role through translation plugins such as Loco Translate or WPML.

Proof of Concept

1. Install Complianz and set the following options in the wizard:
"Does your website use cookies for advertising?" = yes
"Are any of your advertising cookies used to show personalized ads?" = yes.

These two settings are required for the vulnerability to work. Any other settings should not matter.

2. Install Loco Translate and create a user with a translator role. You could also use WPML or any other solution that allows a translator user to edit translations and access /wp-admin

3. Log in as the translator and translate the following text:

"We use technologies like cookies to store and/or access device information. We do this to improve browsing experience and to show personalized ads. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions." 

into an injection (without the double quotes):

"', message_optin = (SELECT CONCAT('DATA_KEY=',group_concat(user_email separator ';')) FROM wp_users) #"

4. Make the following POST request as the translator from the WP admin panel:

const data = new FormData();
data.append('wizard_type', 'last_step');
fetch('/wp-admin/admin.php', {
    method: "POST",
    credentials: 'same-origin',
    body: data
}).then(response => response.text())
    .then(data => {
        console.log(data);
    })

This re-does Complianz wizard's last step, which executes the injected SQL and saves its output as the cookie popup's default text.

5. Go to the front page. Now the injection result will be displayed at the site's frontend inside the cookie popup.