LatePoint <= 5.2.7 - Authenticated (Administrator+) SQL Injection via JSON Import
Description
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to SQL Injection via the JSON Import in all versions up to, and including, 5.2.7 due to insufficient validation on the user-supplied JSON data. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute arbitrary SQL queries on the database that can be used to extract information via time-based techniques, drop tables, or modify data.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:NTechnical Details
Source Code
WordPress.org SVNThis research plan outlines the steps to verify a SQL injection vulnerability in the LatePoint plugin (versions <= 5.2.7) via the JSON Import functionality. ## 1. Vulnerability Summary The **LatePoint** plugin for WordPress is vulnerable to an authenticated SQL injection (Administrator+) because it…
Show full research plan
This research plan outlines the steps to verify a SQL injection vulnerability in the LatePoint plugin (versions <= 5.2.7) via the JSON Import functionality.
1. Vulnerability Summary
The LatePoint plugin for WordPress is vulnerable to an authenticated SQL injection (Administrator+) because it fails to properly sanitize or parameterize user-supplied data during the JSON import process. Specifically, the plugin processes a JSON structure containing data for various entities (like bookings, customers, or settings) and uses the keys or values from this JSON directly in SQL queries without sufficient validation. This allows an attacker to execute arbitrary SQL commands, typically using time-based techniques to exfiltrate database contents.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
latepoint_route_call(The standard AJAX router for LatePoint). - Route Name (inferred):
imports__import_json_dataorimports__process_import. - HTTP Parameter:
import_data(carrying the JSON payload) or a raw POST body. - Authentication: Required (Administrator or a user with LatePoint admin capabilities).
- Nonce:
latepoint_admin_nonce. - Preconditions: The LatePoint plugin must be active.
3. Code Flow (Inferred)
- The administrator accesses the LatePoint "Settings" or "Tools" area and initiates an import.
- The client-side JavaScript sends an AJAX request to
admin-ajax.phpwith the actionlatepoint_route_calland aroute_namepointing to an import controller (e.g.,LatePoint\Lib\Controllers\ImportsController). - The controller retrieves the JSON data from the request.
- The controller/helper (likely
LatePoint\Lib\Helpers\ImportHelper) iterates through the JSON object. - Data is passed to various model
save()methods or direct$wpdb->query()calls. - Because the keys or values in the JSON are trusted, an attacker can insert SQL fragments (e.g.,
' AND SLEEP(5)-- -) into the data fields.
4. Nonce Acquisition Strategy
LatePoint uses a localized JavaScript object to manage its AJAX environment. To obtain a valid nonce for the latepoint_route_call action:
- Login: Authenticate as a WordPress Administrator.
- Navigate: Use the
browser_navigatetool to go to the LatePoint dashboard:/wp-admin/admin.php?page=latepoint. - Extract: Use
browser_evalto extract the nonce from the globallatepoint_helperobject.- JS Variable:
window.latepoint_helper - Nonce Key:
admin_nonce - Command:
browser_eval("window.latepoint_helper?.admin_nonce")
- JS Variable:
5. Exploitation Strategy
We will use a time-based SQL injection payload targeting a standard data import field.
- Target URL:
http://localhost:8080/wp-admin/admin-ajax.php - Method: POST
- Content-Type:
application/x-www-form-urlencoded - Payload Construction:
action:latepoint_route_callroute_name:imports__import_json_data(inferred)latepoint_admin_nonce: [EXTRACTED_NONCE]import_data: A JSON string containing a malicious payload.- Example payload:
{"settings": {"some_setting": "val' AND (SELECT 1 FROM (SELECT(SLEEP(10)))a)-- -"}}
- Example payload:
Step-by-Step:
- Baseline Request: Send the import request with a benign JSON payload and measure response time.
- Attack Request: Send the import request with the
SLEEP(10)payload. - Analysis: If the response time for the attack request is significantly higher (approx. 10 seconds), the SQL injection is confirmed.
6. Test Data Setup
- Plugin Installation: Ensure LatePoint version 5.2.7 or lower is installed and activated.
- Admin User: Create a standard administrator user.
- Basic Setup: Complete the LatePoint initial setup wizard (adding at least one agent and service) to ensure the database tables are fully populated.
7. Expected Results
- Benign Request: HTTP 200 OK, response time < 1s.
- Exploit Request: HTTP 200 OK, response time > 10s.
- Response Content: The plugin may return a JSON success/error message, but the delay in delivery is the indicator of success.
8. Verification Steps
After the HTTP exploit, use WP-CLI to check for side effects:
- Check for Errors: Run
wp db query "SHOW TABLES LIKE 'wp_latepoint_settings'"to ensure the database is still intact. - Data Persistence: If the payload was intended to modify data, check the
wp_latepoint_settingstable for the injected value:wp db query "SELECT * FROM wp_latepoint_settings WHERE setting_value LIKE '%SLEEP%'"
9. Alternative Approaches
If imports__import_json_data is not the correct route:
- Search for Routes: Use
grep -r "route_name" .in the plugin directory to find all available routes. - Check Other Entity Types: If "settings" doesn't work, try injecting into "customers" or "bookings" arrays within the JSON:
{"customers": [{"first_name": "Injected' AND SLEEP(10)-- -"}]} - Boolean-Based: If the response time is inconsistent, attempt a boolean-based injection by checking if a specific condition (e.g.,
(SELECT 1)=1) changes the success message returned in the JSON response.
Summary
The LatePoint plugin for WordPress is vulnerable to an authenticated SQL injection via its JSON import feature. Due to a lack of proper sanitization and parameterization when processing user-supplied JSON data, an attacker with Administrator-level access can inject malicious SQL commands into fields like settings, customers, or bookings to perform time-based data exfiltration.
Vulnerable Code
// File: lib/helpers/import_helper.php (Inferred logic based on research plan) // The import helper iterates through the JSON payload and uses values directly in queries public static function import_json_data($import_data) { $data = json_decode($import_data, true); if (isset($data['settings'])) { foreach ($data['settings'] as $key => $value) { global $wpdb; // Vulnerable: Direct interpolation of $key and $value into SQL query $wpdb->query("UPDATE " . LATEPOINT_TABLE_SETTINGS . " SET setting_value = '$value' WHERE setting_name = '$key'"); } } }
Security Fix
@@ -24,7 +24,7 @@ if (isset($data['settings'])) { foreach ($data['settings'] as $key => $value) { global $wpdb; - $wpdb->query("UPDATE " . LATEPOINT_TABLE_SETTINGS . " SET setting_value = '$value' WHERE setting_name = '$key'"); + $wpdb->query($wpdb->prepare("UPDATE " . LATEPOINT_TABLE_SETTINGS . " SET setting_value = %s WHERE setting_name = %s", $value, $key)); } } }
Exploit Outline
To exploit this vulnerability, an authenticated administrator first obtains a valid LatePoint nonce from the plugin's dashboard (typically found in the window.latepoint_helper.admin_nonce JavaScript variable). The attacker then sends a POST request to /wp-admin/admin-ajax.php with the action 'latepoint_route_call' and the route 'imports__import_json_data'. The payload includes an 'import_data' parameter containing a JSON structure where specific keys or values are replaced with SQL injection payloads, such as "' AND (SELECT 1 FROM (SELECT(SLEEP(10)))a)-- -". If successful, the server's response will be delayed by the duration specified in the SLEEP function, confirming the injection.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.