MasterStudy LMS WordPress Plugin Time-based Blind SQL Injection Vulnerability

A time-based blind SQL injection vulnerability has been identified in the MasterStudy LMS WordPress plugin, specifically in versions through 3.7.25. The vulnerability arises in the '/lms/stm-lms/order/items' REST API endpoint, where the 'order' and 'orderby' parameters are not properly sanitized. This flaw allows authenticated attackers with subscriber-level access and above to inject arbitrary SQL commands into the ORDER BY clause. The exploitation of this vulnerability could lead to the extraction of sensitive information from the database, such as user credentials and session tokens, using time-based blind SQL injection techniques.

Impact

Exploitation of this vulnerability allows for time-based blind SQL injection, where an attacker can manipulate SQL queries to extract sensitive information from the database. This could include user credentials, session tokens, and other confidential data.

Reproduction

To reproduce this vulnerability, send a POST request to the '/lms/stm-lms/order/items' REST API endpoint with the 'orderby' parameter set to a value that includes parentheses. The Query builder will interpret this as a SQL function and concatenate it into the ORDER BY clause without proper quoting, allowing for unquoted SQL injection. While the 'order' parameter can also be used to inject SQL, it is not necessary for exploitation.

Remediation

Users are advised to update the MasterStudy LMS WordPress plugin to version 3.7.26 or a newer patched version.