Introduction: At the end of November I noticed a file-handling function in PHP that was going unnoticed by developers, perhaps because it seemed harmless. The function in question is unlink, which, for those who do not know, works to delete a file in the filesystem. It is common to worry …
Homepage: https://pt.wordpress.org/plugins/jtrt-responsive-tables/ Description: Type user acces: registered single user. $_POST[‘tableId’] is not escaped. File / Code: Path: /wp-content/plugins/jtrt-responsive-tables/admin/class-jtrt-responsive-tables-admin.php Line : 183 $getTableId = $_POST[‘tableId’]; … $retrieve_data = $wpdb->get_results( “SELECT * FROM $jtrt_tables_name WHERE jttable_IDD = ” . $getTableId ); Proof of Concept: 1 – Log in with single user. 2 …
Homepage: https://wordpress.org/plugins/active-directory-integration/ Description: Type user acces: administrator user. Target need have configured ldap and active. $_GET[‘userid’] is not escaped. File / Code: Path Request: /wp-content/plugins/active-directory-integration/syncback.php Line : 135 $result = $ADI->bulksyncback( $_GET[‘userid’] ); Path Method: /wp-content/plugins/active-directory-integration/BulkSyncBackADIntegrationPlugin.class.php Line: 142 // They must have a wp_usermeta.metakey = ‘adi_samaccount’ with a not empty …
Introduction: Some time ago I have dedicated to researching about security and vulnerabilities of WordPress plugins. And the result as we can see below is very satisfactory. I have posted and helped the community to stay a bit more secure. WpVull, site that lists vulnerabilities with a focus on WordPress. …
Homepage: https://wordpress.org/plugins/link-library/ Description: Type user access: is accessible only admin user. $_GET[‘linkid’] is not escaped. Attack with Sql Injection File / Code: Path: /wp-content/plugin/link-library/link-library-admin.php Line: 686 if ( isset( $_GET[‘genthumbsingle’] ) || isset( $_GET[‘genfaviconsingle’] ) ) { $linkquery .= ” AND l.link_id = ” . $_GET[‘linkid’]; } $linkitems = $wpdb->get_results( $linkquery …
Homepage: https://wordpress.org/plugins/dsubscribers/ Description: Type user access: is accessible only admin user. $_REQUEST[‘dsubscribers’] is escaped wrong. Attack with Sql Injection File / Code: Path: /wp-content/plugin/dsubscribers/includes/class-dsubscribers-table.php Line: 40 global $wpdb; $table_name = $wpdb->prefix . “dsubscribers”; $row = $wpdb->get_row(“SELECT * FROM $table_name WHERE id=$id”); ?> } Proof of Concept: 1 – Login with admin user: …
Homepage: https://wordpress.org/plugins/ultimate-product-catalogue/ Description: Type user access: register user. $_POST[‘CatID’] is not escaped. File / Code: Path: /wp-content/plugins/ultimate-product-catalogue/Functions/Process_Ajax.php Line: 147 global $subcategories_table_name; $Path = ABSPATH . ‘wp-load.php’; include_once($Path); global $wpdb; $SubCategories = $wpdb->get_results(“SELECT SubCategory_ID, SubCategory_Name FROM $subcategories_table_name WHERE Category_ID=” . $_POST[‘CatID’]); foreach ($SubCategories as $SubCategory) {$Response_Array[] = $SubCategory->SubCategory_ID; $Response_Array[] = $SubCategory->SubCategory_Name;} if …
Homepage: https://wordpress.org/plugins/zm-gallery/ Description: Type user access: admin user. $_GET[‘order’] is escaped wrong. Attack with Blind Injection File / Code: Path: /wp-content/plugin/zm-gallery/zm-gallery-list.php Line: 126 if( isset($_GET[‘orderby’]) ) { $order = ‘ ORDER BY ‘ . esc_sql($_GET[‘orderby’]); if( isset($_GET[‘order’]) ) { $order .= ‘ ‘ . esc_sql($_GET[‘order’]); } } $table_name = $wpdb->prefix . ‘zm_gallery’; …
Homepage: https://wordpress.org/plugins/zx-csv-upload/ Description: Type user access: admin user. $_GET[‘id’] is not escaped. Url is accessible for every registered user. File / Code: Path: /wp-content/plugin/zx-csv-upload/zx_csv_home.php Line: 53 if(isset($_POST[‘rsltsbmt’])) { $table_name = $_POST[‘table_select’]; $rlfrom=$_POST[‘rsltfrom’]; $rlto=$_POST[‘rsltto’]; } … global $wpdb; //$tname=$wpdb->prefix.’currency’; $result = $wpdb->get_results( “SELECT * FROM $table_name limit $rlfrom,$rlto”); ?> Proof of Concept: 1 …
Homepage: https://wordpress.org/plugins/wp-private-messages/ Description: Type user access: registered user. $_GET[‘id’] is not escaped. Url is accessible for every registered user. File / Code: Path: /wp-content/plugin/wp-private-messages/wpu_private_messages.php Line: 218 global $current_user, $wpulang; $id = $_GET[“id”]; $user = $_GET[“name”]; … $bf = “<tr><td class=\”left\”>”; $mid = “: </td><td>”; $af = “</td></tr>”; $pm = $wpdb->get_row(“SELECT * FROM …
