Link-Library 5.9.13.26 Plugin WordPress – Sql Injection

Homepage: https://wordpress.org/plugins/link-library/ Description: Type user access:  is accessible only admin user. $_GET[‘linkid’] is not escaped. Attack with Sql Injection File / Code: Path: /wp-content/plugin/link-library/link-library-admin.php Line: 686 if ( isset( $_GET[‘genthumbsingle’] ) || isset( $_GET[‘genfaviconsingle’] ) ) { $linkquery .= ” AND l.link_id = ” . $_GET[‘linkid’]; } $linkitems = $wpdb->get_results( $linkquery …

Dsubscribers – 1.2 – Plugin WordPress – Sql Injection

Homepage: https://wordpress.org/plugins/dsubscribers/ Description: Type user access:  is accessible only admin user. $_REQUEST[‘dsubscribers’] is escaped wrong. Attack with Sql Injection File / Code: Path: /wp-content/plugin/dsubscribers/includes/class-dsubscribers-table.php Line: 40 global $wpdb; $table_name = $wpdb->prefix . “dsubscribers”; $row = $wpdb->get_row(“SELECT * FROM $table_name WHERE id=$id”); ?> } Proof of Concept: 1 – Login with admin user: …

Ultimate Product Catalogue 4.2.2 Sql Injection

Homepage: https://wordpress.org/plugins/ultimate-product-catalogue/ Description: Type user access: register user. $_POST[‘CatID’] is not escaped. File / Code: Path: /wp-content/plugins/ultimate-product-catalogue/Functions/Process_Ajax.php Line: 147 global $subcategories_table_name; $Path = ABSPATH . ‘wp-load.php’; include_once($Path); global $wpdb; $SubCategories = $wpdb->get_results(“SELECT SubCategory_ID, SubCategory_Name FROM $subcategories_table_name WHERE Category_ID=” . $_POST[‘CatID’]); foreach ($SubCategories as $SubCategory) {$Response_Array[] = $SubCategory->SubCategory_ID; $Response_Array[] = $SubCategory->SubCategory_Name;} if …

WP Email Users – 1.4.1 – Plugin WordPress – Sql Injection

Homepage: https://wordpress.org/plugins/wp-email-users/ Description: Type user access:  is accessible for any registered user $_REQUEST[‘edit’] is escaped wrong. Attack with Sql Injection File / Code: Path: /wp-content/plugin/wp-email-users/wp-email-user-ajax.php Line: 197 if($temp_sel_key == ‘select_temp’){ $myrows = $wpdb->get_results( “SELECT template_value FROM `”.$table_name.”` where id = $temp”); $data=$myrows[0]->template_value; } Proof of Concept: 1 – Login as regular user …

Wp custom slider 1.6.2 – Plugin WordPress – Sql Injection

Homepage: https://wordpress.org/plugins/wp-custom-slider/ Description: Type user access: admin user. $_REQUEST[‘edit’] is escaped wrong. Attack with Sql Injection File / Code: Path: /wp-content/plugin/wp-custom-slider/customslider-ex-settings.php Line: 371 if(isset($_REQUEST[‘edit’])) { $id=$_REQUEST[‘edit’]; $query_pag_data=$wpdb->get_results(“select * from “.$wpdb->prefix.”customslider_images where id=$id”); ?> Proof of Concept: 1 – Login with admin user. 2 – Url with injection: http://target/wp-admin/options-general.php?page=custom_slider&showall=a&edit=0+UNION+SELECT+1,CONCAT(name,char(58),slug),3,4,5,6,7+FROM+wp_terms+WHERE+term_id=1 2 – Result:     Timeline: …

ZM Gallery 1 Plugin WordPress – Blind Injection

Homepage: https://wordpress.org/plugins/zm-gallery/ Description: Type user access: admin user. $_GET[‘order’] is escaped wrong. Attack with Blind Injection File / Code: Path: /wp-content/plugin/zm-gallery/zm-gallery-list.php Line: 126 if( isset($_GET[‘orderby’]) ) { $order = ‘ ORDER BY ‘ . esc_sql($_GET[‘orderby’]); if( isset($_GET[‘order’]) ) { $order .= ‘ ‘ . esc_sql($_GET[‘order’]); } } $table_name = $wpdb->prefix . ‘zm_gallery’; …

ZX_CSV Upload 1 Plugin WordPress – Sql Injection

Homepage: https://wordpress.org/plugins/zx-csv-upload/ Description: Type user access: admin user. $_GET[‘id’] is not escaped. Url is accessible for every registered user. File / Code: Path: /wp-content/plugin/zx-csv-upload/zx_csv_home.php Line: 53 if(isset($_POST[‘rsltsbmt’])) { $table_name = $_POST[‘table_select’]; $rlfrom=$_POST[‘rsltfrom’]; $rlto=$_POST[‘rsltto’]; } … global $wpdb; //$tname=$wpdb->prefix.’currency’; $result = $wpdb->get_results( “SELECT * FROM $table_name limit $rlfrom,$rlto”); ?> Proof of Concept: 1 …

WP Private Messages 1.0.1 – Plugin WordPress – Sql Injection

Homepage: https://wordpress.org/plugins/wp-private-messages/ Description: Type user access: registered user. $_GET[‘id’] is not escaped. Url is accessible for every registered user. File / Code: Path: /wp-content/plugin/wp-private-messages/wpu_private_messages.php Line: 218 global $current_user, $wpulang; $id = $_GET[“id”]; $user = $_GET[“name”]; … $bf = “<tr><td class=\”left\”>”; $mid = “: </td><td>”; $af = “</td></tr>”; $pm = $wpdb->get_row(“SELECT * FROM …

Xtreme Locator Dealer Locator Plugin WordPress – Sql Injection

Homepage: https://wordpress.org/plugins/xtremelocator/ Description: Type user access: admins user. $_GET[‘id’] is not escaped. Is accessible for only admins user. File / Code: Path: /wp-content/plugins/xtremelocator/functions.xtremelocator.php Line: 112 if((isset($_GET[‘id’])||(isset($_POST[‘action’])&&$_POST[‘action’]==”add_field”))&&!isset($_POST[‘field_action’])){ if(isset($_GET[‘id’])){ $field=$wpdb->get_results(“SELECT * FROM `”.$wpdb->prefix.”xtremelocator_fields` WHERE id=”.$_GET[‘id’]); } include_once($xl_path.”/views/add_field.php”); }else{ Proof of Concept: 1 – Using url, sqli by get: 2 – Result:   Timeline: …

WP Support Plus Responsive Ticket System 7.1.3 – WordPress Plugin – Sql Injection

Homepage: https://wordpress.org/plugins/wp-support-plus-responsive-ticket-system/ Description: Type user access: any user. $_POST[‘cat_id’] is not escaped. Is accessible for any user. File / Code: Path: /wp-content/wp-support-plus-responsive-ticket-system/includes/admin/wpsp_getCatName.php Line: 4 <?php if ( ! defined( ‘ABSPATH’ ) ) exit; // Exit if accessed directly global $wpdb; $category = $wpdb->get_row( “SELECT * FROM {$wpdb->prefix}wpsp_catagories where id=”.$_POST[‘cat_id’] ); echo …