| Title: Blind SQL Injection in wordpress plugin dukapress v2.5.9 |
| Author: Larry W. Cashdollar, @_larry0 |
| Date: 2015-08-04 |
| CVE-ID:[CVE-2015-1000011] |
| CWE: CWE-89 SQL Injection |
| Download Site: http://wordpress.org/plugins/dukapress/ |
| Vendor: dukapress.org |
| Vendor Notified: 2015-08-07 |
| Vendor Contact: https://twitter.com/moshthepitt |
| Advisory: http://www.vapidlabs.com/advisory.php?v=152 |
| Description: DukaPress is open source software that can be used to build online shops quickly and easily. DukaPress is built on top of WordPress, a world class content management system. DukaPress is built to be both simple and elegant yet powerful and scalable. |
| Vulnerability: The code in dukapress/download.php does not sanitize user input before passing via $_GET['id'] to query() allowing SQL to be injected. The user is not required to be logged into wordpress in order to exploit this vulnerability.
9:$sql = "SELECT saved_name, real_name, count, TIMESTAMPDIFF(SECOND,sent_time,NOW()) as time_diff FROM `{$table_name2}` WHERE saved_name='{$_GET['id']}'";
.
.
.
26: $wpdb->query("UPDATE {$table_name2} SET count={$download_count} WHERE saved_name='{$_GET['id']}'");
|
| Export: JSON TEXT XML |
| Exploit Code: |
| Screen Shots: |
| Notes: |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory