WordPress Read More & Accordion Plugin Time-Based Blind SQL Injection Vulnerability

A time-based blind SQL injection vulnerability has been identified in the Read More & Accordion plugin for WordPress, affecting all versions up to and including 3.5.7. The vulnerability arises from improper handling of the 'orderby' parameter, which is not correctly sanitized before being used in SQL queries. This flaw allows authenticated attackers with administrator-level access to inject arbitrary SQL expressions, potentially leading to unauthorized data extraction from the database, including sensitive information such as administrator password hashes.

Impact

Exploitation of this vulnerability allows for time-based blind SQL injection, where an attacker can manipulate SQL queries to extract data from the database in a way that is not immediately visible.

Reproduction

To reproduce this vulnerability, an authenticated user with administrator privileges can send a request to a vulnerable WordPress site with the 'orderby' parameter set to a crafted SQL expression. The injection will be executed in a time-based manner, such as using the SLEEP() function, to extract data blindly based on the response time.