WP Support Plus Responsive Ticket System 7.1.3 – WordPress Plugin – Sql Injection

2017-04-25T00:00:00
ID SSV:93047
Type seebug
Reporter Root
Modified 2017-04-25T00:00:00

Description

Homepage:

https://wordpress.org/plugins/wp-support-plus-responsive-ticket-system/

Description:

Type user access: any user.

$_POST[‘cat_id’] is not escaped. Is accessible for any user.

File / Code:

Path: /wp-content/wp-support-plus-responsive-ticket-system/includes/admin/wpsp_getCatName.php

Line: 4

<?php
if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
global $wpdb;
$category = $wpdb->get_row( "SELECT * FROM {$wpdb->prefix}wpsp_catagories where id=".$_POST['cat_id'] );
echo stripcslashes($category->name);
?>

Proof of Concept:

1 – Usingo form html:

2 – Using Postman ( Plugin for request of chrome )