Lucene search

K
wpvulndbDc11WPVDB-ID:2699CEFA-1CAE-4EF3-AD81-7F3DB3FCCE25
HistoryMar 27, 2023 - 12:00 a.m.

Gallery by BestWebSoft < 4.7.0 - Author+ SQL Injection

2023-03-2700:00:00
dc11
wpscan.com
3
wordpress
bestwebsoft
sql injection
gallery
slider plugin
blind sqli

0.001 Low

EPSS

Percentile

28.6%

The plugin does not properly escape values used in SQL queries, leading to an Blind SQL Injection vulnerability. The attacker must have at least the privileges of an Author, and the vendor’s Slider plugin (https://wordpress.org/plugins/slider-bws/) must also be installed for this vulnerability to be exploitable.

PoC

1. Ensure the “Slider by BestWebSoft” plugin is also installed (https://wordpress.org/plugins/slider-bws/) 2. Go to Galleries > Add New. 3. Click “Add Media” and choose or upload an image. 4. When publishing (or updating) the Gallery, intercept the request and change the POST parameter with name _gallery_order_12%5B13%5D (note the 12 and 13 are ID’s and will be different in each case). Change the inner ID (the 13 in this example) to the following: %27%20UNION%20%28SELECT%20IF%281%3D1%2CSLEEP%2810%29%2CSLEEP%285%29%29%29%23 5. Click on the Settings tab, and click the “Create New Slider” button. 6. Note the request takes 10 seconds, demonstrating the blind SQLi.

CPENameOperatorVersion
gallery-pluginlt4.7.0

0.001 Low

EPSS

Percentile

28.6%

Related for WPVDB-ID:2699CEFA-1CAE-4EF3-AD81-7F3DB3FCCE25