Product Catalog 8 1.2 Plugin WordPress – Sql Injection

Homepage:

https://wordpress.org/plugins/product-catalog-8/

Description:

Type user access: any user.

$_POST[ ‘selectedCategory’ ] is not escaped. UpdateCategoryList() is accessible for any user.

File / Code:

Path: /wp-content/plugins/product-catalog-8/includes/ajax-functions.php

Line: 147

function UpdateCategoryList() {
   global $wpdb, $subcategories_table;

   global $wpdb;
   $table = $subcategories_table;
   $catid = $_POST['selectedCategory'];

   if($catid !== '0') {

      $get_items = $wpdb->get_results( "SELECT * FROM $table WHERE subcategory_category = $catid ORDER BY subcategory_name ASC" );
      echo json_encode($get_items);
   }
   else {
      $get_items = "";
      echo json_encode($get_items);
   }

   die();

}

Proof of Concept:

 

1 – Login as regular user (created using wp-login.php?action=register):

2 – Send Post for:

product8-proof

OR

product8-send1 product8-send2

target => http://target/wp-admin/admin-ajax.php

post => product8-post

Timeline:

  • 12/11/2016 – Discovered
  • 12/11/2016 – Vendor not found

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to Top