13 / 17 WordPress Plugins with over 150,000 / 270,000 active downloads with the same security issues.

Introduction: At the end of November I noticed a file-handling function in PHP that was going unnoticed by developers, perhaps because it seemed harmless. The function in question is unlink, which, for those who do not know, works to delete a file in the filesystem. It is common to worry …

JTRT Responsive Tables 4.1 – WordPress Plugin – Sql Injection

Homepage: https://pt.wordpress.org/plugins/jtrt-responsive-tables/ Description: Type user acces: registered single user. $_POST[‘tableId’] is not escaped. File / Code: Path: /wp-content/plugins/jtrt-responsive-tables/admin/class-jtrt-responsive-tables-admin.php Line :  183 $getTableId = $_POST[‘tableId’]; … $retrieve_data = $wpdb->get_results( “SELECT * FROM $jtrt_tables_name WHERE jttable_IDD = ” . $getTableId ); Proof of Concept: 1 – Log in with single user. 2 …

Active Directory Integration 1.1.8 – WordPress Plugin – Sql Injection

Homepage: https://wordpress.org/plugins/active-directory-integration/ Description: Type user acces: administrator user. Target need have configured ldap and active. $_GET[‘userid’] is not escaped. File / Code: Path Request: /wp-content/plugins/active-directory-integration/syncback.php Line :  135 $result = $ADI->bulksyncback( $_GET[‘userid’] ); Path Method: /wp-content/plugins/active-directory-integration/BulkSyncBackADIntegrationPlugin.class.php Line: 142 // They must have a wp_usermeta.metakey = ‘adi_samaccount’ with a not empty …

Link-Library 5.9.13.26 Plugin WordPress – Sql Injection

Homepage: https://wordpress.org/plugins/link-library/ Description: Type user access:  is accessible only admin user. $_GET[‘linkid’] is not escaped. Attack with Sql Injection File / Code: Path: /wp-content/plugin/link-library/link-library-admin.php Line: 686 if ( isset( $_GET[‘genthumbsingle’] ) || isset( $_GET[‘genfaviconsingle’] ) ) { $linkquery .= ” AND l.link_id = ” . $_GET[‘linkid’]; } $linkitems = $wpdb->get_results( $linkquery …

Dsubscribers – 1.2 – Plugin WordPress – Sql Injection

Homepage: https://wordpress.org/plugins/dsubscribers/ Description: Type user access:  is accessible only admin user. $_REQUEST[‘dsubscribers’] is escaped wrong. Attack with Sql Injection File / Code: Path: /wp-content/plugin/dsubscribers/includes/class-dsubscribers-table.php Line: 40 global $wpdb; $table_name = $wpdb->prefix . “dsubscribers”; $row = $wpdb->get_row(“SELECT * FROM $table_name WHERE id=$id”); ?> } Proof of Concept: 1 – Login with admin user: …

Ultimate Product Catalogue 4.2.2 Sql Injection

Homepage: https://wordpress.org/plugins/ultimate-product-catalogue/ Description: Type user access: register user. $_POST[‘CatID’] is not escaped. File / Code: Path: /wp-content/plugins/ultimate-product-catalogue/Functions/Process_Ajax.php Line: 147 global $subcategories_table_name; $Path = ABSPATH . ‘wp-load.php’; include_once($Path); global $wpdb; $SubCategories = $wpdb->get_results(“SELECT SubCategory_ID, SubCategory_Name FROM $subcategories_table_name WHERE Category_ID=” . $_POST[‘CatID’]); foreach ($SubCategories as $SubCategory) {$Response_Array[] = $SubCategory->SubCategory_ID; $Response_Array[] = $SubCategory->SubCategory_Name;} if …

ZM Gallery 1 Plugin WordPress – Blind Injection

Homepage: https://wordpress.org/plugins/zm-gallery/ Description: Type user access: admin user. $_GET[‘order’] is escaped wrong. Attack with Blind Injection File / Code: Path: /wp-content/plugin/zm-gallery/zm-gallery-list.php Line: 126 if( isset($_GET[‘orderby’]) ) { $order = ‘ ORDER BY ‘ . esc_sql($_GET[‘orderby’]); if( isset($_GET[‘order’]) ) { $order .= ‘ ‘ . esc_sql($_GET[‘order’]); } } $table_name = $wpdb->prefix . ‘zm_gallery’; …

ZX_CSV Upload 1 Plugin WordPress – Sql Injection

Homepage: https://wordpress.org/plugins/zx-csv-upload/ Description: Type user access: admin user. $_GET[‘id’] is not escaped. Url is accessible for every registered user. File / Code: Path: /wp-content/plugin/zx-csv-upload/zx_csv_home.php Line: 53 if(isset($_POST[‘rsltsbmt’])) { $table_name = $_POST[‘table_select’]; $rlfrom=$_POST[‘rsltfrom’]; $rlto=$_POST[‘rsltto’]; } … global $wpdb; //$tname=$wpdb->prefix.’currency’; $result = $wpdb->get_results( “SELECT * FROM $table_name limit $rlfrom,$rlto”); ?> Proof of Concept: 1 …

WP Private Messages 1.0.1 – Plugin WordPress – Sql Injection

Homepage: https://wordpress.org/plugins/wp-private-messages/ Description: Type user access: registered user. $_GET[‘id’] is not escaped. Url is accessible for every registered user. File / Code: Path: /wp-content/plugin/wp-private-messages/wpu_private_messages.php Line: 218 global $current_user, $wpulang; $id = $_GET[“id”]; $user = $_GET[“name”]; … $bf = “<tr><td class=\”left\”>”; $mid = “: </td><td>”; $af = “</td></tr>”; $pm = $wpdb->get_row(“SELECT * FROM …