Title: Blind SQL Injection in Wordpress plugin eventr v1.02.2 |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2017-05-21 |
CVE-ID:[CVE-2017-1002018][CVE-2017-1002019] |
CWE: |
Download Site: https://wordpress.org/plugins/eventr/ |
Vendor: http://www.binnyva.com/ |
Vendor Notified: 2017-05-22 |
Vendor Contact: |
Advisory: http://www.vapidlabs.com/advisory.php?v=192 |
Description: Use this plugin if you want to use your blog an event management tool. |
Vulnerability: The edit form and attendees.php code do not sanitize input to $_REQUSET[event] this allows blind time-based SQL injection by an authenticated user who is able to modify events.
CVE-2017-1002018
In attendees.php:
40 $search = '';
41 if(isset($_REQUEST['search']) and $_REQUEST['search']) $search = "AND A.name LIKE '%$_REQUEST[search]%'";
42
43 $all_attendee = $wpdb->get_results("SELECT A.ID,A.name,A.url,A.email, EA.added_on, A.status FROM `{$wpdb->prefix}eventr_attendee` AS A
44 INNER JOIN `{$wpdb->prefix}eventr_event_attendee` AS EA ON attendee_ID=A.ID
45 WHERE EA.event_ID=$_REQUEST[event] $search ORDER BY A.name LIMIT $offset, $items _per_page");
CVE-2017-1002019
In event_form.php:
5 $action = 'new';
6 if($_REQUEST['action'] == 'edit') $action = 'edit';
7
8 $event = array();
9 if($action == 'edit') {
10 $event = $wpdb->get_row("SELECT name,description,event_date,maximum_attendees,landing_page,status FROM {$wpdb->prefix}eventr_event WHERE ID = $_REQUEST[event]");
11 }
|
Export: JSON TEXT XML |
Exploit Code:
|
Screen Shots: |
Notes: |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory