ElementCamp WordPress Plugin SQL Injection Vulnerability in AJAX Action

A time-based SQL injection vulnerability has been identified in the ElementCamp plugin for WordPress, affecting all versions through 2.3.6. The issue arises in the 'tcg_select2_search_post' AJAX action, where the 'meta_query[compare]' parameter is vulnerable. The user-supplied compare value is inserted as an SQL operator without proper validation against an allowlist of comparison operators. Although the value is sanitized using esc_sql(), this sanitization is ineffective for operators not enclosed in quotes. As a result, authenticated attackers with Author-level access or higher can manipulate SQL queries to extract sensitive information from the database.

Impact

Exploitation of this vulnerability allows authenticated attackers to perform SQL injection, potentially leading to unauthorized data access or manipulation.

Reproduction

To reproduce this vulnerability, an authenticated user with Author-level access or higher can send a request to the 'tcg_select2_search_post' AJAX action. The request must include a crafted 'meta_query[compare]' parameter that exploits the lack of validation on SQL operators. The injection can be timed to observe the response delay, confirming the exploitation of the SQL injection vulnerability.

Remediation

No known patch is available. Users are advised to review the vulnerability details and consider uninstalling the affected plugin.