CVE-2021-25054 SQL Injection vulnerability in Wpcalc 2.1 Wordpress Plugin

CVE-2021-25054

CVSS 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

https://wpscan.com/vulnerability/200969eb-e2a4-4200-82d7-0c313de089af

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25054

Disclosure Timeline

Dec 5, 2021: Issue Identified and Disclosed to WPscan
Dec 5, 2021 : Got auto reply
Dec 7, 2021: Got update that vendor had been contacted, CVE Assigned CVE-2021-25054
Dec 9, 2021: Plugin closed permanently
Jan 10, 2022: CVE published in NVD
Jan 14, 2022: CVE updated with score

Description:

The WPcalc Wordpress plugin does not sanitize user input into the 'did' parameter and uses it in a SQL statement, leading to an authenticated SQL Injection

We can see the problematic code in \admin\partials\main.php

( $ info
$deI id
"del") (
"delete from
"<div class='updated'
$data . "
where id="
'message '
$delid) ;
("Record Deleted", "wow-fp-lang") . "

This vulnerability is present in the current version of the plugin 2.1. Administrative access is required to access the vulnerable functionality.

Link to plugin:

https://wordpress.org/plugins/wpcalc/

Steps to reproduce:

1. Log into WordPress as the admin user

2. Install Wpcalc plugins

3. In the WPcalc plugin settings create and publish a new calc.

WPcalc
List
Add new
Name is used only for admin purposes
Form
Field 1
* Style
o
Title': show
1
Validation:
Number
FAQ
Item type:
Innut
Placeholder:
1
pro version
Field width
12/12
Value:
1
Plugins
Publish
Save
Shortcode: [WPcalc id=]
É WP plugins for:
Marketing
Forms
Menu
Authorization

4. Click the delete link, the capture and save the request in an intercepting proxy.

WPcaIc
List
Order
1
Add new
Name
FAQ
Shortcode
[WPcalc id=2]
Pro version
ID
2
Plugins
Edit
Delete
Duplicate

5. Save the request to a file, request.txt

6. Run sqlmap

sqlmap -r request.txt -dbms=mysql --current-user -b -p did --batch --flush-session

Using this technique, we can also (slowly) dump the entire contents of the database, including WordPress users and so on.