Homepage:
https://wordpress.org/plugins/xtremelocator/
Description:
Type user access: admins user.
$_GET[‘id’] is not escaped. Is accessible for only admins user.
File / Code:
Path: /wp-content/plugins/xtremelocator/functions.xtremelocator.php
Line: 112
if((isset($_GET['id'])||(isset($_POST['action'])&&$_POST['action']=="add_field"))&&!isset($_POST['field_action'])){
if(isset($_GET['id'])){
$field=$wpdb->get_results("SELECT * FROM `".$wpdb->prefix."xtremelocator_fields` WHERE id=".$_GET['id']);
}
include_once($xl_path."/views/add_field.php");
}else{
Proof of Concept:
1 – Using url, sqli by get:
2 – Result:
Timeline:
- 14/12/2016 – Discovered
- 15/12/2016 – Vendor finded