Title: SQL injection in wordpress plugin double-opt-in-for-download v2.0.8 |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2015-11-24 |
CVE-ID:[CVE-2015-7517] |
CWE: |
Download Site: https://wordpress.org/plugins/double-opt-in-for-download/ |
Vendor: https://profiles.wordpress.org/andyba45/ http://www.labwebdesigns.com |
Vendor Notified: 2015-11-24 |
Vendor Contact: |
Advisory: http://www.vapidlabs.com/advisory.php?v=157 |
Description: Capture visitors names and email addresses by offering FREE downloads to your visitors in exchange for their email address with our Double Opt-In Plug |
Vulnerability: The file double-opt-in-for-download/public/includes/class-doifd-download.php the lines 61 & 110:
38 $ver = $_GET[ 'ver' ];
.
.
61 $checkallowed = $wpdb->get_row ( "SELECT doifd_downloads _allowed FROM " . $wpdb->prefix . "doifd_lab_subscribers WHERE doifd_verifi cation_number = '$ver' " );
.
.
110 $wpdb->query (
111 "
112 UPDATE $wpdb->doifd_subscribers
113 SET doifd_downloads_allowed = doifd_downloads_allowe d+1 WHERE doifd_verification_number = '$ver'
114 "
115 );
Allows Blind SQL injection at the $ver parameter as it is not properly sanitized or passed through a prepare() function first.
In file double-opt-in-for-download/public/includes/class-doifd-landing-page.php line 71 allows for SQL injection via the $ver parameter.
26 public function getVerification() {
27 $this->verification = $_GET[ 'ver' ];
28 return $this->verification;
29 }
.
.
71 $sql = "SELECT *
72 FROM {$wpdb->prefix}doifd_lab_subscribers
73 INNER JOIN {$wpdb->prefix}doifd_lab_downloads
74 ON {$wpdb->prefix}doifd_lab_downloads.doifd_download_id = {$ wpdb->prefix}doifd_lab_subscribers.doifd_download_id
75 WHERE doifd_verification_number = '$this->verification'";
76
77 $this->data = $wpdb->get_row( $sql, ARRAY_A ); |
Export: JSON TEXT XML |
Exploit Code: |
Screen Shots: |
Notes: |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory