Title: Blind SQL Injection vulnerability in Wordpress plugin rk-responsive-contact-form v1.0 |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2017-07-01 |
CVE-ID:[CVE-2017-1002027] |
CWE: |
Download Site: https://wordpress.org/plugins/rk-responsive-contact-form/ |
Vendor: rkdevelopers |
Vendor Notified: 2017-08-05 |
Vendor Contact: plugins@wordpress.org |
Advisory: http://www.vapidlabs.com/advisory.php?v=198 |
Description: A simple WordPress plugin that generates a responsive contact form on your website or blog |
Vulnerability: The variable $delid isn't sanitized before being passed into an SQL query in file ./rk-responsive-contact-form/include/rk_user_list.php :
1-<?php
2- global $wpdb;
3- $table_name = $wpdb->prefix . "rk_contact";
4: $info=$_GET["info"];
5- if($info=="del")
6- {
7: $delid=$_GET["did"];
8-
9- $wpdb->query("delete from ".$table_name." where `user_id`=".$delid);
10- echo "<div style='clear:both;'></div><div class='updated' id='message'><p><strong>:".__('User Record Deleted.','rkcontactform')."</strong>.</p></div>";
11- }
12-?> |
Export: JSON TEXT XML |
Exploit Code:
|
Screen Shots: |
Notes: |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory