13 / 17 WordPress Plugins with over 150,000 / 270,000 active downloads with the same security issues.

Introduction: At the end of November I noticed a file-handling function in PHP that was going unnoticed by developers, perhaps because it seemed harmless. The function in question is unlink, which, for those who do not know, works to delete a file in the filesystem. It is common to worry …

Active Directory Integration 1.1.8 – WordPress Plugin – Sql Injection

Homepage: https://wordpress.org/plugins/active-directory-integration/ Description: Type user acces: administrator user. Target need have configured ldap and active. $_GET[‘userid’] is not escaped. File / Code: Path Request: /wp-content/plugins/active-directory-integration/syncback.php Line :  135 $result = $ADI->bulksyncback( $_GET[‘userid’] ); Path Method: /wp-content/plugins/active-directory-integration/BulkSyncBackADIntegrationPlugin.class.php Line: 142 // They must have a wp_usermeta.metakey = ‘adi_samaccount’ with a not empty …

Link-Library 5.9.13.26 Plugin WordPress – Sql Injection

Homepage: https://wordpress.org/plugins/link-library/ Description: Type user access:  is accessible only admin user. $_GET[‘linkid’] is not escaped. Attack with Sql Injection File / Code: Path: /wp-content/plugin/link-library/link-library-admin.php Line: 686 if ( isset( $_GET[‘genthumbsingle’] ) || isset( $_GET[‘genfaviconsingle’] ) ) { $linkquery .= ” AND l.link_id = ” . $_GET[‘linkid’]; } $linkitems = $wpdb->get_results( $linkquery …

Dsubscribers – 1.2 – Plugin WordPress – Sql Injection

Homepage: https://wordpress.org/plugins/dsubscribers/ Description: Type user access:  is accessible only admin user. $_REQUEST[‘dsubscribers’] is escaped wrong. Attack with Sql Injection File / Code: Path: /wp-content/plugin/dsubscribers/includes/class-dsubscribers-table.php Line: 40 global $wpdb; $table_name = $wpdb->prefix . “dsubscribers”; $row = $wpdb->get_row(“SELECT * FROM $table_name WHERE id=$id”); ?> } Proof of Concept: 1 – Login with admin user: …

Ultimate Product Catalogue 4.2.2 Sql Injection

Homepage: https://wordpress.org/plugins/ultimate-product-catalogue/ Description: Type user access: register user. $_POST[‘CatID’] is not escaped. File / Code: Path: /wp-content/plugins/ultimate-product-catalogue/Functions/Process_Ajax.php Line: 147 global $subcategories_table_name; $Path = ABSPATH . ‘wp-load.php’; include_once($Path); global $wpdb; $SubCategories = $wpdb->get_results(“SELECT SubCategory_ID, SubCategory_Name FROM $subcategories_table_name WHERE Category_ID=” . $_POST[‘CatID’]); foreach ($SubCategories as $SubCategory) {$Response_Array[] = $SubCategory->SubCategory_ID; $Response_Array[] = $SubCategory->SubCategory_Name;} if …