2 More Wordpress Plugin Exploits - Adserve & WassUp

Wow, four Wordpress plugin exploits released in under a week. Are these plugin authors really amateurs, or just trying to pwn Wordpress blogs?

First up, Adserve version 0.2. The SQL injection vulnerability resides in adclick.php. Here’s the vulnerable code:

if (isset($_GET['id'])) {
Header("Location: ".iri_AdServe_BannerClick($_GET['id'])
return $wpdb->get_var("SELECT url
FROM $table_name WHERE id=$id;");

Again, the id variable isn’t sanitized, and successful exploitation results in the Wordpress administrative login and the md5 hash to go along with it. If you’re using this plugin, either uninstall it, or patch the code if you’re familiar with PHP.

Next up is the plugin known as WassUp, a live visitor reporting tool. The hole is again the result of improper sanitization within not one, but two files. In spy.php:

if (isset($_GET['to_date']))

$to_date = htmlentities(strip_tags($_GET['to_date']));

And in main.php:

function spyview ($from_date="",$to_date="",$rows="999") {
$qryC = $wpdb->get_results("SELECT id, wassup_id, max(timestamp)
as max_timestamp, ip, hostname, searchengine, urlrequested,
agent, referrer, spider, username, comment_author
FROM $table_name WHERE timestamp BETWEEN $from_date
AND $to_date GROUP BY id ORDER BY max_timestamp DESC");

The $from_date and $to_date are again, not sanitized. This allows malicious individuals to basically run whatever SQL query they’d like - including a select statement to obtain your Wordpress administrator account credentials. You’re advised to either uninstall this plugin and wait until a fix is released, or patch it yourself.

Case and point - don’t install all these silly and often useless plugins. If the plugin isn’t adding any value to your blog, don’t use it. In my opinion, both these plugins are completely useless.