WoWonder Social Network Platform 0-day Vulnerability (CVE-2021-26935)

Wowonder, is a web application software written using the PHP programming language that allows you to create your social networking platform. When the software is purchased through codecanyon, the source code will be included and you will be able to run the software on your server. The application received an update and was released with a 3.1 version number after we notified the vulnerabilities that we found to the vendor.

As a result of our researches, we detected SQL Injection vulnerability in the "event_id" parameter of the GET request sent to the "requests.php" page in the Wowonder social network platform application.

How Did We Detect Wowonder Social Network Platform SQL Injection Vulnerability?

As the Security For Everyone team, we regularly look for vulnerabilities in the software we have chosen to find 0-day. One of the software we chose was the Wowonder Social Network Platform web application, which serves as a social media platform. After deciding on the application that we are going to look for vulnerability, we performed the following steps in order:
 

• We decided to manually examine the source codes of the application purchased on Codecanyon after we saw that examining it with automatic source code analysis tools produced too many false positives.

• We determined that all requests are sent to the requests.php page by taking the function name as a parameter (requests.php?f=search-my-followers).

• We have seen that many parameters are filtered to avoid SQL injection vulnerability. Nonetheless, we determined that the "event_id" parameter is not sent to the function that performs the filtering process.

• We discovered that the vulnerability could be triggered when we sent the required SQL injection payload to this vulnerable parameter.

• Using the SQL injection vulnerability we detected, we were able to access all tables and data in the database.

Finally, we applied to Mitre and got our CVE code.

What To Do?

After detecting the vulnerability, we reported the vulnerability to the Wowonder software team. Then, they fixed the vulnerability and updated the new version on Codecanyon. Downloading the current version and using it on your systems is recommended by the Security For Everyone team.

Sources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-26935 

• https://www.exploit-db.com/exploits/49657 

• https://codecanyon.net/item/wowonder-the-ultimate-php-social-network-platform/13785302 

• https://www.wowonder.com/