Lucene search
K

WordPress Plugin Ultimate Product Catalogue - SQL Injection (2)

🗓️ 23 Apr 2015 00:00:00Reported by Felipe MolinaType 
exploitpack
 exploitpack
👁 16 Views

Unauthenticated SQL injection in Ultimate Product Catalogue WordPress plugi

Code
# Exploit Title: Unauthenticated SQLi on Ultimate Product Catalogue
wordpress plugin
# Google Dork: inurl:"SingleProduct" intext:"Back to catalogue"
intext:"Category",
inurl:"/wp-content/plugins/ultimate-product-catalogue/product-sheets/"
# Date: 22/04/2015
# Exploit Author: Felipe Molina de la Torre (@felmoltor)
# Vendor Homepage: https://wordpress.org/plugins/ultimate-product-catalogue/
# Software Link:
https://downloads.wordpress.org/plugin/ultimate-product-catalogue.3.1.2.zip
# Version: < 3.1.2, Comunicated and Fixed by the Vendor in 3.1.3
# Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turnedd off, Apache
2.4.0 (Ubuntu)
# CVE : Requested to mitre but not assigned yet
# Category: webapps

1. Summary:

     Ultimate Product Catalogue is A responsive and easily customizable
plugin for all your product catalogue needs. It has +59.000 downloads,
+3.000 active installations.

 Unauthenticated SQL injection in parameter "SingleProduct" when a web
visitor explores a product published by the web administrator

2. Vulnerability timeline:
- 22/04/2015: Identified in version 3.1.2
- 22/04/2015: Comunicated to developer company etoilewebdesign.com
- 22/04/2015: Response from etoilewebdesign.com and fixed version in 3.1.3
3. Vulnerable code:

    File Functions/Shortcodes.php line 779

3. Proof of concept

    http://<wordpress site>/?SingleProduct=2'+and+'a'='a
    http://<wordpress site>/?SingleProduct=2'+and+'a'='b

4. Solution:

    Update to version 3.1.3

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation