Team WordPress Plugin SQL Injection Vulnerability in Unauthenticated AJAX Actions

A SQL injection vulnerability has been identified in the Team WordPress plugin, affecting versions prior to 5.0.11. The issue arises because the plugin fails to properly sanitize and escape a parameter before incorporating it into a SQL statement. This vulnerability is accessible through an AJAX action available to unauthenticated users.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate SQL queries to interfere with the database. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the WordPress site.

Reproduction

To reproduce this vulnerability, first create a team member with an email address using the Team WordPress plugin. Then, generate a team shortcode for embedding into a page. Create a post containing the generated shortcode. As an unauthenticated user, access the page URL with the shortcode, extract the nonce from the page, and identify the shortcode ID. Finally, execute the SQL injection through the vulnerable AJAX action by sending a POST request that includes the injected SQL payload, such as a time-based blind SQL injection payload that exploits the application's response time.

Remediation

Users are advised to update the Team WordPress plugin to version 5.0.11 or later.