Xtreme Locator Dealer Locator Plugin WordPress – Sql Injection

Homepage:

https://wordpress.org/plugins/xtremelocator/

Description:

Type user access: admins user.

$_GET[‘id’] is not escaped. Is accessible for only admins user.

File / Code:

Path: /wp-content/plugins/xtremelocator/functions.xtremelocator.php

Line: 112

if((isset($_GET['id'])||(isset($_POST['action'])&&$_POST['action']=="add_field"))&&!isset($_POST['field_action'])){
   if(isset($_GET['id'])){
         $field=$wpdb->get_results("SELECT * FROM `".$wpdb->prefix."xtremelocator_fields` WHERE id=".$_GET['id']);
         
   }
   include_once($xl_path."/views/add_field.php");
   
}else{

Proof of Concept:

1 – Using url, sqli by get:

2 – Result:

 

Timeline:

  • 14/12/2016 – Discovered
  • 15/12/2016 – Vendor finded

Leave a reply