Title: Authenticated blind SQL injection in add-edit-delete-listing-for-member-module v1.0 |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2017-06-21 |
CVE-ID:[CVE-2017-1002025] |
CWE: |
Download Site: https://wordpress.org/plugins/add-edit-delete-listing-for-member-module/ |
Vendor: Romal Patel |
Vendor Notified: 2017-07-05 |
Vendor Contact: niraj.patel.it@gmail.com |
Advisory: |
Description: This plugin used for add edit delete and listing module at admin side. |
Vulnerability: The plugin author does not sanitize user supplied input via $act before passing it into an SQL statement. This allows a user logged in as administrator to inject SQL statements into the query.
3- require_once("memberclass.php");
4- $objMem = new memberClass();
5-
6: $addme=$_POST["addme"];
7- global $wpdb;
.
.
22: $act=$_REQUEST["act"];
23- if($act=="upd")
24- {
25: $recid=$_REQUEST["id"];
26- $sSQL="select * from ".$table_name = $wpdb->prefix . "member where id=$recid";
27- $result = $wpdb->get_results($sSQL);
28- $result = $result[0];
29- if (sizeof($result) > 0 )
30- {
|
Export: JSON TEXT XML |
Exploit Code:
|
Screen Shots: |
Notes: |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory