The remindMe.json.php endpoint passes $_REQUEST['live_schedule_id'] through multiple functions without sanitization until it reaches Scheduler_commands::getAllActiveOrToRepeat(), which directly concatenates it into a SQL LIKE clause. Although intermediate functions (new Live_schedule(), getUsers_idOrCompany()) apply intval() internally, they do so on local copies within ObjectYPT::getFromDb(), leaving the original tainted variable unchanged. Any authenticated user can perform time-based blind SQL injection to extract arbitrary database contents.
The vulnerability involves a 6-step data flow from user input to an unsanitized SQL sink:
Step 1 — User input (no sanitization):
plugin/Live/remindMe.json.php:15:
$reminder = Live::setLiveScheduleReminder($_REQUEST['live_schedule_id'], ...);
Step 2 — Auth check passes for any user:
plugin/Live/Live.php:4126:
if (!User::isLogged()) {
$obj->msg = __('Must be logged');
return $obj;
}
Step 3 — intval() applied only internally, original variable unchanged:
plugin/Live/Live.php:4141-4143:
$ls = new Live_schedule($live_schedule_id); // intval() inside getFromDb() only
$users_id = Live_schedule::getUsers_idOrCompany($live_schedule_id); // same
objects/Object.php:84 (inside getFromDb()):
$id = intval($id); // sanitizes the LOCAL parameter, not the caller's variable
With input like 1" AND SLEEP(5) --, intval() extracts 1, loads schedule ID 1 successfully. The caller's $live_schedule_id remains 1" AND SLEEP(5) --.
Step 4 — Tainted value flows to type string construction:
plugin/Live/Live.php:4152 → Live.php:4193-4194:
$reminders = self::getLiveScheduleReminders($live_schedule_id);
// getLiveScheduleReminders calls:
$type = self::getLiveScheduleReminderBaseNameType($live_schedule_id);
// which builds: "LiveScheduleReminder_{$to_users_id}_{$live_schedule_id}"
return...
Exploitability
AV:NAC:LPR:LUI:NScope
S:UImpact
C:HI:HA:N8.1/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N