Title: Blind SQL Injection in Wordpress plugin wordpress-gallery-transformation v1.0 |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2017-07-22 |
CVE-ID:[CVE-2017-1002028] |
CWE: |
Download Site: https://wordpress.org/plugins/wordpress-gallery-transformation/ |
Vendor: http://angrybyte.com |
Vendor Notified: 2017-08-07 |
Vendor Contact: plugins@wordpress.org |
Advisory: http://www.vapidlabs.com/advisory.php?v=199 |
Description: Transforms word press into a gallery, wallpapers website, you name it. |
Vulnerability: SQL injection is in ./wordpress-gallery-transformation/gallery.php via $jpic parameter being unsanitized before being passed into an SQL query.
--
231-
232- $pfx=$wpdb->prefix;
233-dbcreator();
234- if($_GET['picnj']){
235-
236: $jpic=$_GET['picnj'];
237: $jnm=$_GET['nmj'];
238- $wpdb->query("update {$pfx}gallery set name='{$jnm}' where id=$jpic;");
239- $wpdb->query("update {$pfx}gallery set rates=44");
240- return 'ok?'; |
Export: JSON TEXT XML |
Exploit Code:
|
Screen Shots: |
Notes: |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory