2 New Wordpress Plugin SQL Injection Vulnerabilities

That’s right Wordpresss kiddies, two new vulnerabilities, and they’re pretty nasty. Author Houssamix From H-T Team has released two remote SQL injection proof of concepts for WP-Cal and fGallery 2.4.1.

The vulnerability for WP-Cal exists in:

/wp-content/plugins/wp-cal/functions/editevent.php

and here’s what’s vulnerable:

$id = $_GET['id'];

$event = $wpdb->get_row("SELECT * FROM $table WHERE id = $id");

Why? No sanitization of $id. Since id in the DB is a numerical value, only numbers should get passed in $id. I’m no PHP expert, but I’m sure this is an easy fix. If you’re not a PHP expert, either, I highly recommend you disable and remove this plugin immediately.

Next up, fGallery 2.4.1. The hole exists in:

/wp-content/plugins/fgallery/fim_rss.php

and here’s what’s vulnerable:

$cat = $wpdb->get_row("SELECT * FROM $cats WHERE id = $_GET[album]");

$images = $wpdb->get_results("SELECT * FROM $imgs

WHERE cat = $_GET[album] AND status = 'include'");

Again, there’s a lack of proper sanitization. Can you spot the hole?

I’d love to provide a fix, but since neither of these plugins are used on Nullamatix, I’ll leave the patching up to those bold enough to use this stuff. If you’re feeling generous and come across a fix, feel free to share in the comments. In the mean time, deactivate and remove these plugins until a patch or fix is released. Yet another potential for your non-vulnerable site hosted on a shared provider to get r00ted. Happy blogging!