Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Register Plus Redux 3.7.3.1 XSS / SQL Injection / Code Execution

🗓️ 29 Dec 2011 00:00:00Reported by MustLiveType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 172 Views

Plugin Register Plus Redux 3.7.3.1 vulnerabilities fixed in version 3.

Code
`Hello list!  
  
I want to warn you about multiple new vulnerabilities in plugin Register   
Plus Redux for WordPress. Last version of the plugin was checked.  
  
These are Cross-Site Scripting, SQL Injection, Code Execution and Full path   
disclosure vulnerabilities.  
  
-------------------------  
Affected products:  
-------------------------  
  
Vulnerable are Register Plus Redux v3.7.3.1 and previous versions.  
  
By request of my client I've made new version of the plugin with fixing of   
all vulnerabilities, which I found. I named this version as Register Plus   
Redux 3.8 (to distinguish between it and original version of the plugin). So   
all users of this plugin can find new and secure version of the plugin in   
Internet.  
  
----------  
Details:  
----------  
  
XSS (WASC-08):  
  
POST request at page http://site/wp-login.php?action=register  
</textarea><script>alert(document.cookie)</script>  
In field About Yourself.  
  
By using function Autocomplete URL it's possible to conduct attack via GET:  
  
http://site/wp-login.php?action=register&description=%3C/textarea%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E  
  
At plugin options page the protection against CSRF is used, so it needs to   
use reflected XSS for bypassing it and conducting of persistent XSS and   
persistent SQL Injection attacks.  
  
Persistent XSS (WASC-08):  
  
At set option "Show Invitation Code Tracking widget on Dashboard" in plugin   
settings and adding invitation code (Add a new invitation code), it's   
possible to set JS/VBS code.  
<script>alert(document.cookie)</script>  
  
Which will work at page Dashboard (http://site/wp-admin/index.php).  
  
Persistent SQL Injection (WASC-19):  
  
At set option "Show Invitation Code Tracking widget on Dashboard" in plugin   
settings and adding invitation code (Add a new invitation code), it's   
possible to set for SQL Injection.  
' and benchmark(1000000,md5(now())) and 1='1  
  
Which will work at visiting of the page Dashboard   
(http://site/wp-admin/index.php). This is Persistent Blind SQL Injection   
(http://websecurity.com.ua/2751/).  
  
Code Execution (WASC-31):  
  
If to have access to plugin settings, it's possible to conduct Code   
Execution via field Custom Logo URL via uploading of 1.phtml.jpg. It's   
depends of version of the engine, which I've wrote about in post Code   
Execution in WordPress 2.5 - 3.1.1 (http://websecurity.com.ua/5108/). This   
attack will work in versions of engine before WordPress 3.1.3, where   
developers fixed upload functionality (which is used by the plugin).  
  
Full path disclosure (WASC-13):  
  
http://site/wp-content/plugins/register-plus-redux/register-plus-redux.php  
  
In register-plus-redux.php there is FPD (as in previous versions). And file   
dash_widget.php (with FPD) was remade to   
dashboard_invitation_tracking_widget.php, which already has no FPD.  
  
Also FPD was fixed at POST request at page   
http://site/wp-login.php?action=register. But in special way it can be   
resurrected.  
  
At adding of new field in Additional Fields and at setting 1 (or almost any   
value) in field Options and at turning on the option Show on Registration,   
FPD will appear at POST request at page   
http://site/wp-login.php?action=register.  
  
Also it's possible to add to the site two FPD vulnerabilities. If to set in   
Custom Logo URL the address to not image file or just "http://", then there   
will be showing error message with FPD at pages   
http://site/wp-admin/options-general.php?page=register-plus-redux and   
http://site/wp-login.php?action=register.  
  
------------  
Timeline:  
------------  
  
2011.11.25 - found vulnerabilities.  
2011.11.30 - fixed vulnerabilities.  
2011.11.30 - Informed developer.  
2011.11.30 - announced at my site.  
2011.11.30 - released Register Plus Redux 3.8 (with fixed all   
vulnerabilities of version 3.7.3.1).  
2011.12.05 - released Register Plus Redux 3.8.1 (with new features).  
2011.12.29 - disclosed at my site.  
  
I mentioned about these vulnerabilities at my site:  
http://websecurity.com.ua/5532/  
  
Best wishes & regards,  
MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua   
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
29 Dec 2011 00:00Current
0.4Low risk
Vulners AI Score0.4
wordpressxsssql injectioncode executionfull path disclosurevulnerabilitiespluginregister plus redux
172