WordPress Video Gallery 2.7 SQL Injection

2015.02.12
Credit: Claudio Viviani
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89
Dork: inurl:/wp-admin/admin-ajax.php?action=rss

###################### # Exploit Title : Wordpress Video Gallery 2.7 SQL Injection Vulnerability # Exploit Author : Claudio Viviani # Vendor Homepage : http://www.apptha.com/category/extension/Wordpress/Video-Gallery # Software Link : https://downloads.wordpress.org/plugin/contus-video-gallery.2.7.zip # Dork Google: inurl:/wp-admin/admin-ajax.php?action=rss # Date : 2015-02-11 # Tested on : Windows 7 / Mozilla Firefox Linux / Mozilla Firefox ###################### # Vulnerability Disclosure Timeline: 2015-02-08: Discovered vulnerability 2015-02-09: Vendor Notification 2015-02-10: Vendor Response/Feedback 2015-02-10: Vendor Send Fix/Patch 2015-02-11: Public Disclosure # Description Wordpress Video Gallery 2.7 suffers from SQL injection ###################### # PoC http://target/wp-admin/admin-ajax.php?action=rss&type=video&vid=[SQLi] ##################### # Fix/patch sent by apptha's developer File: videogalleryrss.php Change line n.47 from: $vid = filter_input(INPUT_GET,'vid'); to: $vid = intval(filter_input(INPUT_GET,'vid')); ##################### Discovered By : Claudio Viviani http://www.homelab.it info@homelab.it homelabit@protonmail.ch https://www.facebook.com/homelabit https://twitter.com/homelabit https://plus.google.com/+HomelabIt1/ https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww #####################


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top