The plugin concatenates user input into an SQL query without escaping it first in the plugin’s report API endpoint, which could allow administrators in multi-site configuration to leak sensitive information from the site’s database.
1. Login as admin 2. Make sure HollerBox is installed and activated 3. From the /wp-admin/ page, navigate to HollerBox->Reports. Intercept the subsequent requests with a proxy. 4. Forward requests until the GET request for the following endpoint is intercepted: “/wp-json/hollerbox/report?before=&after;=” 5. Modify the URL to be: /wp-json/hollerbox/report?before=&after;='+UNION+SELECT+1,SLEEP(5),3,4,'5 6. Forward the request. The application will wait 5 seconds to respond due to the SLEEP(5) SQL function.
CPE | Name | Operator | Version |
---|---|---|---|
holler-box | lt | 2.1.4 |