Participants Database Plugin for WordPress < 1.5.4.9 'query' Parameter SQL Injection

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(76071);
  script_version("1.8");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/05");

  script_cve_id("CVE-2014-3961");
  script_bugtraq_id(67769);
  script_xref(name:"EDB-ID", value:"33613");

  script_name(english:"Participants Database Plugin for WordPress < 1.5.4.9 'query' Parameter SQL Injection");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server hosts a PHP script that is affected by a SQL
injection vulnerability.");
  script_set_attribute(attribute:"description", value:
"The Participants Database Plugin for WordPress installed on the remote
host is prior to version 1.5.4.9. It is, therefore, affected by a SQL
injection vulnerability due to failure to properly sanitize
user-supplied input to the 'query' parameter in the 'pdb-signup'
script. A remote, unauthenticated attacker could leverage this issue
to execute arbitrary SQL statements against the backend database,
leading to manipulation of data or the disclosure of arbitrary data.

The application is reportedly also affected by an unspecified flaw in
which insufficient privilege checks allows an unauthenticated user to
execute actions reserved for administrative users when shortcodes are
used.");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2014/Jun/0");
  script_set_attribute(attribute:"see_also", value:"https://wordpress.org/plugins/participants-database/#changelog");
  script_set_attribute(attribute:"solution", value:
"Upgrade to version 1.5.4.9 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/06/01");
  script_set_attribute(attribute:"patch_publication_date", value:"2014/05/31");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/16");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:wordpress:wordpress");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:xnau:participants_databas3");
  script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2014-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("wordpress_detect.nasl");
  script_require_keys("installed_sw/WordPress", "www/PHP");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");

app = "WordPress";
get_install_count(app_name:app, exit_if_zero:TRUE);

port = get_http_port(default:80, php:TRUE);

install = get_single_install(
  app_name : app,
  port     : port
);

dir = install['path'];
install_url = build_url(port:port, qs:dir);

plugin = "Participants Database";

# Check KB first
installed = get_kb_item("www/"+port+"/webapp_ext/"+plugin+" under "+dir);

if (!installed)
{
  checks = make_array();
  regexes = make_list();
  regexes[0] = make_list("function serializeList", "#confirmation-dialog'");
  checks["/wp-content/plugins/participants-database/js/manage_fields.js"] = regexes;

  # Ensure plugin is installed
  installed = check_webapp_ext(
    checks : checks,
    dir    : dir,
    port   : port,
    ext    : plugin
  );
}
if (!installed)
  audit(AUDIT_WEB_APP_EXT_NOT_INST, app, install_url, plugin + " plugin");

version = UNKNOWN_VER;

# Get version from readme.txt
res = http_send_recv3(
  method : "GET",
  port   : port,
  item   : dir + "/wp-content/plugins/participants-database/readme.txt",
  exit_on_fail : TRUE
);

if ("=== Participants Database ===" >< res[2] && "Stable tag:" >< res[2])
{
  match = NULL;
  # Check Changelog section as Stable tag does not appear to be updated often
  output = strstr(res[2], "== Changelog ==");
  if (!isnull(output))
  {
    match = eregmatch(pattern:"= ([0-9\.]+) =", string:output);
    if (!isnull(match)) version = match[1];
  }
  # Fall back to Stable Tag as a backup
  else
  {
    pattern = "Stable tag: ([0-9\.]+)";
    match = eregmatch(pattern:pattern, string:res[2]);
  }
  if (isnull(match)) exit(1, "Failed to read the 'readme.txt' file for the WordPress " + plugin + " located at " + install_url + ".");
  version = match[1];


  fix = "1.5.4.9";
  if (ver_compare(ver:version, fix:fix, strict:FALSE) == -1)
  {
    set_kb_item(name:'www/'+port+'/SQLInjection', value:TRUE);
    if (report_verbosity > 0)
    {
      report =
        '\n  URL               : ' +install_url+
        '\n  Installed version : ' +version+
        '\n  Fixed version     : ' +fix + '\n';
      security_hole(port:port, extra:report);
    }
    else security_hole(port);
    exit(0);
  }
}
audit(AUDIT_WEB_APP_EXT_NOT_AFFECTED, app, install_url, plugin + " plugin", version);