WP Support Plus Responsive Ticket System 7.1.3 – WordPress Plugin – Sql Injection

Homepage:

https://wordpress.org/plugins/wp-support-plus-responsive-ticket-system/

Description:

Type user access: any user.

$_POST[‘cat_id’] is not escaped. Is accessible for any user.

File / Code:

Path: /wp-content/wp-support-plus-responsive-ticket-system/includes/admin/wpsp_getCatName.php

Line: 4

<?php
if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
global $wpdb;
$category = $wpdb->get_row( "SELECT * FROM {$wpdb->prefix}wpsp_catagories where id=".$_POST['cat_id'] );
echo stripcslashes($category->name);
?>

Proof of Concept:

1 – Usingo form html:

2 – Using Postman ( Plugin for request of chrome )

Timeline:

  • 12/12/2016 – Discovered
  • 13/12/2016 – Vendor notifed
  • 16/12/2016 – Resolve issue version 7.1.5

2 Comments

Leave a Reply to [email protected] Cancel reply

Your email address will not be published. Required fields are marked *

Back to Top