Active Directory Integration 1.1.8 – WordPress Plugin – Sql Injection

Homepage: https://wordpress.org/plugins/active-directory-integration/ Description: Type user access: administrator user. Target need have configured ldap and active. $_GET[‘userid’] is not escaped. File / Code: Path Request: /wp-content/plugins/active-directory-integration/syncback.php Line :  135 $result = $ADI->bulksyncback( $_GET[‘userid’] ); Path Method: /wp-content/plugins/active-directory-integration/BulkSyncBackADIntegrationPlugin.class.php Line: 142 // They must have a wp_usermeta.metakey = ‘adi_samaccount’ with a not empty …

ZM Gallery 1 Plugin WordPress – Blind Injection

Homepage: https://wordpress.org/plugins/zm-gallery/ Description: Type user access: admin user. $_GET[‘order’] is escaped wrong. Attack with Blind Injection File / Code: Path: /wp-content/plugin/zm-gallery/zm-gallery-list.php Line: 126 if( isset($_GET[‘orderby’]) ) { $order = ‘ ORDER BY ‘ . esc_sql($_GET[‘orderby’]); if( isset($_GET[‘order’]) ) { $order .= ‘ ‘ . esc_sql($_GET[‘order’]); } } $table_name = $wpdb->prefix . ‘zm_gallery’; …

ZX_CSV Upload 1 Plugin WordPress – Sql Injection

Homepage: https://wordpress.org/plugins/zx-csv-upload/ Description: Type user access: admin user. $_GET[‘id’] is not escaped. Url is accessible for every registered user. File / Code: Path: /wp-content/plugin/zx-csv-upload/zx_csv_home.php Line: 53 if(isset($_POST[‘rsltsbmt’])) { $table_name = $_POST[‘table_select’]; $rlfrom=$_POST[‘rsltfrom’]; $rlto=$_POST[‘rsltto’]; } … global $wpdb; //$tname=$wpdb->prefix.’currency’; $result = $wpdb->get_results( “SELECT * FROM $table_name limit $rlfrom,$rlto”); ?> Proof of Concept: 1 …

WP Private Messages 1.0.1 – Plugin WordPress – Sql Injection

Homepage: https://wordpress.org/plugins/wp-private-messages/ Description: Type user access: registered user. $_GET[‘id’] is not escaped. Url is accessible for every registered user. File / Code: Path: /wp-content/plugin/wp-private-messages/wpu_private_messages.php Line: 218 global $current_user, $wpulang; $id = $_GET[“id”]; $user = $_GET[“name”]; … $bf = “<tr><td class=\”left\”>”; $mid = “: </td><td>”; $af = “</td></tr>”; $pm = $wpdb->get_row(“SELECT * FROM …

Xtreme Locator Dealer Locator Plugin WordPress – Sql Injection

Homepage: https://wordpress.org/plugins/xtremelocator/ Description: Type user access: admins user. $_GET[‘id’] is not escaped. Is accessible for only admins user. File / Code: Path: /wp-content/plugins/xtremelocator/functions.xtremelocator.php Line: 112 if((isset($_GET[‘id’])||(isset($_POST[‘action’])&&$_POST[‘action’]==”add_field”))&&!isset($_POST[‘field_action’])){ if(isset($_GET[‘id’])){ $field=$wpdb->get_results(“SELECT * FROM `”.$wpdb->prefix.”xtremelocator_fields` WHERE id=”.$_GET[‘id’]); } include_once($xl_path.”/views/add_field.php”); }else{ Proof of Concept: 1 – Using url, sqli by get: 2 – Result:   Timeline: …

WP Support Plus Responsive Ticket System 7.1.3 – WordPress Plugin – Sql Injection

Homepage: https://wordpress.org/plugins/wp-support-plus-responsive-ticket-system/ Description: Type user access: any user. $_POST[‘cat_id’] is not escaped. Is accessible for any user. File / Code: Path: /wp-content/wp-support-plus-responsive-ticket-system/includes/admin/wpsp_getCatName.php Line: 4 <?php if ( ! defined( ‘ABSPATH’ ) ) exit; // Exit if accessed directly global $wpdb; $category = $wpdb->get_row( “SELECT * FROM {$wpdb->prefix}wpsp_catagories where id=”.$_POST[‘cat_id’] ); echo …