Title: Blind SQL Injection in Wordpress Plugin Easy Team Manager v1.3.2 |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2017-05-24 |
CVE-ID:[CVE-2017-1002023] |
CWE: |
Download Site: https://wordpress.org/plugins/easy-team-manager/ |
Vendor: https://daisythemes.com/ |
Vendor Notified: 2017-05-24 |
Vendor Contact: web form contact |
Advisory: http://www.vapidlabs.com/advisory.php?v=194 |
Description: Easy Team Manager helps you to create team members with their short descriptions, social profiles link with smooth hover effects. |
Vulnerability: The following code does not sanitize $_GET['id'] before making it part of an SQL statement in file ./easy-team-manager/inc/easy_team_manager_desc_edit.php:
85- global $wpdb;
86- $easy_team_manager_desc = $wpdb->get_results("SELECT *from ".$wpdb->prefix."easy_team_manager_description where id=".$_GET['id']);
87- foreach ($easy_team_manager_desc as $s ){
88- $ind_name_detail = unserialize($s->name);
89- $socia_media = unserialize($s->social_media);
90: $id=$_GET['id'];
91- $ind_position = esc_attr($s->position);
92- $ind_image=$s->image;
93- $ind_email_detail = unserialize($s->email);
94- $ind_phone_detail = unserialize($s->phone);
95- $ind_desc = esc_attr(stripcslashes($s->ind_description));
This allows blind SQL injection via the id parameter by an authenticated user with edit team priveledges. |
Export: JSON TEXT XML |
Exploit Code:
|
Screen Shots: |
Notes: |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory