Xtreme Locator Dealer Locator Plugin WordPress – Sql Injection

Homepage: https://wordpress.org/plugins/xtremelocator/ Description: Type user access: admins user. $_GET[‘id’] is not escaped. Is accessible for only admins user. File / Code: Path: /wp-content/plugins/xtremelocator/functions.xtremelocator.php Line: 112 if((isset($_GET[‘id’])||(isset($_POST[‘action’])&&$_POST[‘action’]==”add_field”))&&!isset($_POST[‘field_action’])){ if(isset($_GET[‘id’])){ $field=$wpdb->get_results(“SELECT * FROM `”.$wpdb->prefix.”xtremelocator_fields` WHERE id=”.$_GET[‘id’]); } include_once($xl_path.”/views/add_field.php”); }else{ Proof of Concept: 1 – Using url, sqli by get: 2 – Result:   Timeline: …

WP Support Plus Responsive Ticket System 7.1.3 – WordPress Plugin – Sql Injection

Homepage: https://wordpress.org/plugins/wp-support-plus-responsive-ticket-system/ Description: Type user access: any user. $_POST[‘cat_id’] is not escaped. Is accessible for any user. File / Code: Path: /wp-content/wp-support-plus-responsive-ticket-system/includes/admin/wpsp_getCatName.php Line: 4 <?php if ( ! defined( ‘ABSPATH’ ) ) exit; // Exit if accessed directly global $wpdb; $category = $wpdb->get_row( “SELECT * FROM {$wpdb->prefix}wpsp_catagories where id=”.$_POST[‘cat_id’] ); echo …

Simple Personal Message 1.0.3 – Plugin WordPress – Sql Injection

Homepage: https://wordpress.org/plugins/simple-personal-message/ Description: Type user access: any user. $_GET[‘message’] is not escaped. sirv_get_row_by_id() is accessible for every registered user. File / Code: Path: /wp-content/plugins/simple-personal-message/admin/partials/simple-personal-message-admin-view.php Line: 25 <?php global $wpdb; $table = $wpdb->prefix . ‘spm_message’; $id = esc_attr($_GET[‘message’]); $message = $wpdb->get_results(“SELECT * FROM $table WHERE id = $id”); $user = get_user_by(‘login’, $message[0]->sender); …

WA Form Builder 1.1- Sql Injection

Homepage: https://wordpress.org/plugins/wa-form-builder/ Descrição: Acesso a qualquer usuário. $_POST[ ‘wa_forms_Id’ ] não possui filtro. WAFormBuilder_ui_output() é acessível para qualquer usuário. File / Code: Path: /wp-content/plugins/wa-form-builder/main.php Line: 779 global $wpdb; echo ‘SELECT * FROM ‘.$wpdb->prefix.’wap_wa_form_builder WHERE Id = ‘.$_REQUEST[‘wa_forms_Id’]; $form_attr = $wpdb->get_row(‘SELECT * FROM ‘.$wpdb->prefix.’wap_wa_form_builder WHERE Id = ‘.$_REQUEST[‘wa_forms_Id’]); $user_fields .= ‘<table width=”100%” cellpadding=”3″ …

Product Catalog 8 1.2 Plugin WordPress – Sql Injection

Homepage: https://wordpress.org/plugins/product-catalog-8/ Description: Type user access: any user. $_POST[ ‘selectedCategory’ ] is not escaped. UpdateCategoryList() is accessible for any user. File / Code: Path: /wp-content/plugins/product-catalog-8/includes/ajax-functions.php Line: 147 function UpdateCategoryList() { global $wpdb, $subcategories_table; global $wpdb; $table = $subcategories_table; $catid = $_POST[‘selectedCategory’]; if($catid !== ‘0’) { $get_items = $wpdb->get_results( “SELECT * FROM $table …

BBS e-Franchise 1.1.1 Plugin of WordPress – Sql Injection

Homepage: BBS e-Franchise Descrição: Type of user: qualquer usuário. $_GET[‘uid’] não é filtrado. Tem que encontrar onde o plugin é usado em um dos posts ou páginas. Url vulnerável: http://target/2016/09/26/ola-mundo-2/ File / Code: File: /wp-content/plugins/bbs-e-franchise/lib/franchise.class.php ) ); require_once($templatePath.’/list.php’); //보기 } else { $DATA = $wpdb->get_row( “SELECT * FROM {$this->table_list} WHERE ( …

Answer My Question 1.3 Plugin for WordPress – Sql Injection

Homepage: https://wordpress.org/plugins/answer-my-question/ Descrição: $_POST[‘id’] is not escaped. Url is accessible for any user. Url vulnerable : http://target/wp-content/plugins/answer-my-question/modal.php Arquivo/ Código: Arquivo: /wp-content/plugins/answer-my-question/modal.php Código: require_once(‘../../../wp-load.php’); global $wpdb; $table_name = $wpdb->prefix . “answer_my_question”; $result = $wpdb->get_results(“SELECT * FROM $table_name WHERE id=”.$_POST[‘id’].” LIMIT 1;”); Proof of Concept: OR OBS: Change ID until return session_user Timeline: 10/11/2016 …

Mini Cart Plugin 1.00.1 For WordPress

Homepage: https://wordpress.org/plugins/mini-cart/ Descrição: $_REQUEST[item] is not escaped. Url is accessible for user collaborator above. Url vulnerável : http://localhost:1406/wp/wp-admin/admin.php?page=fssc-products&fp=general&f=edit&cid=0&pid=0 Arquivo / Código: … /wp-content/plugins/mini-cart/item_form.php line: 28 $item = array(); if($action == ‘edit’) { $item = $wpdb->get_row(“SELECT * FROM {$wpdb->prefix}minicart_item WHERE ID = $_REQUEST[item]”); } ?> Prova de Conceito: Logged with user collaborator : Url …

FireStorm Shopping Cart eCommerce Plugin 2.07.02 para WordPress

Homepage: https://wordpress.org/plugins-wp/fs-shopping-cart/ Descrição: $_POST[ ‘pid’ ] is not escaped. Url is accessible for every registered user. Url vulnerável : http://localhost:1406/wp/wp-admin/admin.php?page=fssc-products&fp=general&f=edit&cid=0&pid=0 File / Code: … /wp-content/plugins/fs-shopping-cart/includes/admin_produtcs.php line: 64 echo ‘<div class=”wrap”>’; if (isset($_GET[‘pid’])) { echo ‘<h2>Editing ‘.$wpdb->get_var(“SELECT products_part_number FROM “.$wpdb->prefix.”fssc_products WHERE products_id = “.$_GET[‘pid’]).’ <a href=”admin.php?page=fssc-products&f=add” class=”add-new-h2″>Add New</a></h2>’; echo fssc_products_sub_links($_GET[‘fp’], $_GET[‘f’], $_GET[‘cid’], …

Sirv 1.3.1 Plugin For WordPress

Homepage: https://wordpress.org/plugins/sirv/ Descrição: $_POST[ ‘id’ ] não trata a entrada de dados. sirv_get_row_by_id() é acessível por um usuário registrado. File / Code: add_action(‘wp_ajax_sirv_get_row_by_id’, ‘sirv_get_row_by_id’); function sirv_get_row_by_id(){ if(!(is_array($_POST) && isset($_POST[‘row_id’]) && defined(‘DOING_AJAX’) && DOING_AJAX)){ return; } global $wpdb; $table_name = $wpdb->prefix . ‘sirv_shortcodes’; $id = $_POST[‘row_id’]; $row = $wpdb->get_row(“SELECT * FROM $table_name …