WordPress Livemesh Addons for Elementor Plugin <= 8.5
is vulnerable to
Cross Site Scripting (XSS)
REPORTED BY
Patchstack
DISCLOSED ON
Oct 1, 2024
PATCH STATUS
Not patched by author
The Security Vulnerability
In the latest version (2.8.2 as of writing the article) and below, the plugin is vulnerable to a SQL injection vulnerability that allows any users to execute arbitrary SQL queries in the database of the WordPress site. No privileges are required to exploit the issue.
Vulnerability 1: Unauthenticated SQL Injection
includes/product.helper.php, function get()
function get( $data = array(), $count = false ) {
global $wpdb;
$default = array(
'count' => 10,
'field' => null,
'offset' => 0,
'order' => 'DESC',
'order_by' => 'date',
'external' => true,
'sql' => '',
);
foreach ( $default as $_k => $_v ) {
if ( array_key_exists( $_k, $data ) ) {
$default[ $_k ] = $data[ $_k ];
unset( $data[ $_k ] );
}
}
The above function is using string concatenation to form up a SQL query with the user-input as seen in the $sql variable [1]. The $sql variable is then getting passed to $wpdb->get_results() parameter directly [2]. Tracing this function upwards to the source where we can inject the malicious SQL queries, we found that the above function is getting called by the wishlist_get_products() function:
The Protection Firewall Rule
RULE
array (
‘id’ => 130,
‘ptc_id’ => 13124,
‘slug’ => ‘newsletters-lite/wp-mailinglist.php’,
‘type’ => ‘plugin’,
‘version’ => ‘4.9.9.2’,
‘fixed_in’ => ‘4.9.9.3’,
‘rating’ => ‘8.0’,
‘published_at’ => ”,
‘desc’ => ‘Newsletters (Authenticated Privilege Escalation)’,
‘rule_version’ => ‘1.0.0’,
‘rule’ =>
array (
0 =>
array (
‘rule’ => ‘L1xid3Bfc2NyZWVuX29wdGlvbnNcYi8=’,
),
1 =>
array (
‘key’ => ‘L1xib3B0aW9uXGIv’,
‘rule’ => ‘L1xiKHdwX2NhcGFiaWxpdGllc3x1c2VyX2xldmVsfHdwX3VzZXJfbGV2ZWx8YWRtaW5fY29sb3IpXGIv’,
),
2 =>
array (
‘key’ => ‘L1xib3B0aW9uXGIv’,
‘rule’ => ‘L1xiKG5ld3NsZXR0ZXJzX2hpc3RvcnlfcGVycGFnZSlcYi8=’,
‘return’ =>
array (
‘rule’ => false,
),
),
3 =>
array (
‘key’ => ‘L1xib3B0aW9uXGIv’,
‘rule’ => ‘L1xiKG5ld3NsZXR0ZXJzX2hpc3RvcnlfcGVycGFnZSlcYi8=’,
),
4 =>
array (
‘key’ => ‘L1xidmFsdWVcYi8=’,
‘rule’ => ‘L15cZCskLw==’,
‘return’ =>
array (
‘rule’ => false,
),
),
),
‘tests’ => ‘eyJwb3N0Ijp7IndwX3NjcmVlbl9vcHRpb25zIjp7Im9wdGlvbiI6IndwX2NhcGFiaWxpdGllcyIsInZhbHVlIjoyLCJvcHRpb25fIjoibmV3c2xldHRlcnNfaGlzdG9yeV9wZXJwYWdlfHx1c2VyX2xldmVsfHdwX3VzZXJfbGV2ZWx8YWRtaW5fY29sb3IifX0sImdldCI6W10sInJhdyI6W10sImZpbGUiOltdLCJjb29raWUiOltdLCJ1cmwiOltdLCJzaG9ydGNvZGUiOltdLCJub25jZSI6W119
‘,
‘notes’ => ”,
‘options’ =>
array (
‘get’ => ”,
‘log’ => true,
‘raw’ => ”,
‘url’ => ”,
‘file’ => ”,
‘hook’ => ‘init’,
‘post’ =>
array (
0 =>
array (
‘key’ => ‘0’,
‘full’ => ‘no’,
‘value’ => ‘no’,
),
1 =>
array (
‘key’ => ‘no’,
‘full’ => ‘1’,
‘value’ => ‘no’,
),
2 =>
array (
‘key’ => ‘no’,
‘full’ => ‘2’,
‘value’ => ‘no’,
),
3 =>
array (
‘key’ => ‘no’,
‘full’ => ‘3’,
‘value’ => ‘no’,
),
4 =>
array (
‘key’ => ‘no’,
‘full’ => ‘4’,
‘value’ => ‘no’,
),
),
‘block’ => true,
‘cookie’ => ”,
‘header’ => ”,
‘wp_logout’ => ”,
‘allowed_cap’ => ”,
‘do_sanitize’ => ”,
‘nonce_check’ =>
array (
‘key’ => ”,
‘nonce’ => ”,
‘is_dfwp’ => ”,
),
‘notify_user’ => ”,
‘allowed_role’ => ”,
‘is_logged_in’ => true,
‘rule_condition’ => ‘post0&&(post1||post2||(post3&&post4))’,
‘shortcode_rules’ => ”,
‘do_full_sanitize’ => ”,
‘deactivate_plugin’ => ”,
‘wp_post_restrictions’ => ”,
‘wp_user_restrictions’ => ”,
),
‘createdAt’ => ‘2024-09-09T12:22:58.000Z’,
‘updatedAt’ => ‘2024-09-20T10:44:32.000Z’,
)
The above rule protects this function upwards to the source where we can inject the malicious SQL
TEST IT
{
"post": {
"wp_screen_options": {
"option": "wp_capabilities",
"value": 2,
"option_": "newsletters_history_perpage||user_level|wp_user_level|admin_color"
}
},
"get": [],
"raw": [],
"file": [],
"cookie": [],
"url": [],
"shortcode": [],
"nonce": []
}