CVSS 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Dec 5, 2021: Issue Identified and Disclosed to WPscan
Dec 5, 2021 : Got auto reply
Dec 7, 2021: Got update that vendor had been contacted, CVE Assigned CVE-2021-25054
Dec 9, 2021: Plugin closed permanently
Jan 10, 2022: CVE published in NVD
Jan 14, 2022: CVE updated with score
The WPcalc Wordpress plugin does not sanitize user input into the 'did' parameter and uses it in a SQL statement, leading to an authenticated SQL Injection
We can see the problematic code in \admin\partials\main.php
This vulnerability is present in the current version of the plugin 2.1. Administrative access is required to access the vulnerable functionality.
Link to plugin:
Steps to reproduce:
1. Log into WordPress as the admin user
2. Install Wpcalc plugins
3. In the WPcalc plugin settings create and publish a new calc.
4. Click the delete link, the capture and save the request in an intercepting proxy.
5. Save the request to a file, request.txt
6. Run sqlmap
sqlmap -r request.txt -dbms=mysql --current-user -b -p did --batch --flush-session
Using this technique, we can also (slowly) dump the entire contents of the database, including WordPress users and so on.