27 lines
No EOL
1.1 KiB
Text
27 lines
No EOL
1.1 KiB
Text
# Title: WordPress Ultimate Form Builder Lite Plugin < 1.3.7 - SQL Injection
|
|
# Author: defensecode
|
|
# Date: 2018-06-12
|
|
# Software: WordPress Ultimate Form Builder Lite plugin
|
|
# Version: 1.3.7 and below
|
|
|
|
# The easiest way to reproduce the SQL injection vulnerability is to
|
|
# visit the provided URL while being logged in as administrator or
|
|
# another user that is authorized to access the plugin settings page.
|
|
# Users that do not have full administrative privileges could abuse the
|
|
# database access the vulnerability provides to either escalate their
|
|
# privileges or obtain and modify database contents they were not
|
|
# supposed to be able to.
|
|
|
|
# SQL injection
|
|
# Vulnerable Function: $wpdb->get_row()
|
|
# Vulnerable Variable: $_POST['entry_id']
|
|
# Vulnerable URL: http://vulnerablesite.com/wp-admin/admin-ajax.php
|
|
# Vulnerable POST body:
|
|
|
|
entry_id=ExploitCodeHere&_wpnonce=xxx&action=ufbl_get_entry_detail_action
|
|
|
|
# Disclosure Timeline
|
|
# 2018/06/01 Vulnerabilities discovered
|
|
# 2018/06/06 Vendor contacted
|
|
# 2018/06/08 Vendor responded
|
|
# 2018/06/12 Advisory released to the public |