Categoria: Vulnerabilidades Encontradas

Homepage: https://wordpress.org/plugins/product-catalog-8/ Description: Type user access: any user. $_POST[ ‘selectedCategory’ ] is not escaped. UpdateCategoryList() is accessible for any user. File / Code: Path: /wp-content/plugins/product-catalog-8/includes/ajax-functions.php Line: 147 function UpdateCategoryList() { global $wpdb, $subcategories_table; global $wpdb; $table = $subcategories_table; $catid = $_POST[‘selectedCategory’]; if($catid !== ‘0’) { $get_items = $wpdb->get_results( “SELECT * FROM $table …

Homepage: BBS e-Franchise Descrição: Type of user: qualquer usuário. $_GET[‘uid’] não é filtrado. Tem que encontrar onde o plugin é usado em um dos posts ou páginas. Url vulnerável: http://target/2016/09/26/ola-mundo-2/ File / Code: File: /wp-content/plugins/bbs-e-franchise/lib/franchise.class.php ) ); require_once($templatePath.’/list.php’); //보기 } else { $DATA = $wpdb->get_row( “SELECT * FROM {$this->table_list} WHERE ( …

Homepage: https://wordpress.org/plugins/answer-my-question/ Descrição: $_POST[‘id’] is not escaped. Url is accessible for any user. Url vulnerable : http://target/wp-content/plugins/answer-my-question/modal.php Arquivo/ Código: Arquivo: /wp-content/plugins/answer-my-question/modal.php Código: require_once(‘../../../wp-load.php’); global $wpdb; $table_name = $wpdb->prefix . “answer_my_question”; $result = $wpdb->get_results(“SELECT * FROM $table_name WHERE id=”.$_POST[‘id’].” LIMIT 1;”); Proof of Concept: OR OBS: Change ID until return session_user Timeline: 10/11/2016 …

Homepage: https://wordpress.org/plugins/mini-cart/ Descrição: $_REQUEST[item] is not escaped. Url is accessible for user collaborator above. Url vulnerável : http://localhost:1406/wp/wp-admin/admin.php?page=fssc-products&fp=general&f=edit&cid=0&pid=0 Arquivo / Código: … /wp-content/plugins/mini-cart/item_form.php line: 28 $item = array(); if($action == ‘edit’) { $item = $wpdb->get_row(“SELECT * FROM {$wpdb->prefix}minicart_item WHERE ID = $_REQUEST[item]”); } ?> Prova de Conceito: Logged with user collaborator : Url …

Homepage: https://wordpress.org/plugins-wp/fs-shopping-cart/ Descrição: $_POST[ ‘pid’ ] is not escaped. Url is accessible for every registered user. Url vulnerável : http://localhost:1406/wp/wp-admin/admin.php?page=fssc-products&fp=general&f=edit&cid=0&pid=0 File / Code: … /wp-content/plugins/fs-shopping-cart/includes/admin_produtcs.php line: 64 echo ‘<div class=”wrap”>’; if (isset($_GET[‘pid’])) { echo ‘<h2>Editing ‘.$wpdb->get_var(“SELECT products_part_number FROM “.$wpdb->prefix.”fssc_products WHERE products_id = “.$_GET[‘pid’]).’ <a href=”admin.php?page=fssc-products&f=add” class=”add-new-h2″>Add New</a></h2>’; echo fssc_products_sub_links($_GET[‘fp’], $_GET[‘f’], $_GET[‘cid’], …