2 New Wordpress Plugin SQL Injection Vulnerabilities

Posted 1943 days ago - Security, Wordpress

That's right Wordpresss kiddies, two new vulnerabilities, and they're pretty nasty. Author Houssamix From H-T Team has released two remote SQL injection proof of concepts for WP-Cal and fGallery 2.4.1.

The vulnerability for WP-Cal exists in:

/wp-content/plugins/wp-cal/functions/editevent.php

and here's what's vulnerable:

$id = $_GET['id'];
$event = $wpdb->get_row("SELECT * FROM $table WHERE id = $id");

Why? No sanitization of $id. Since id in the DB is a numerical value, only numbers should get passed in $id. I'm no PHP expert, but I'm sure this is an easy fix. If you're not a PHP expert, either, I highly recommend you disable and remove this plugin immediately.

Next up, fGallery 2.4.1. The hole exists in:

/wp-content/plugins/fgallery/fim_rss.php

and here's what's vulnerable:

$cat = $wpdb->get_row("SELECT * FROM $cats WHERE id = $_GET[album]");
$images = $wpdb->get_results("SELECT * FROM $imgs
WHERE cat = $_GET[album] AND status = 'include'");

Again, there's a lack of proper sanitization. Can you spot the hole?

I'd love to provide a fix, but since neither of these plugins are used on Nullamatix, I'll leave the patching up to those bold enough to use this stuff. If you're feeling generous and come across a fix, feel free to share in the comments. In the mean time, deactivate and remove these plugins until a patch or fix is released. Yet another potential for your non-vulnerable site hosted on a shared provider to get r00ted. Happy blogging!

Word Count: 282

Tags: , , , ,

Click Here to Submit a Comment

Permalink / Last Modified:

Support Nullamatix.com:

See Also:

  • 01/30/2008 -- 2 More Wordpress Plugin Exploits – Adserve & WassUp
    Excerpt: "Wow, four Wordpress plugin exploits released in under a week. Are these plugin authors really amateurs, or just trying to pwn Wordpress blogs? First up, Adserve version 0.2. The SQL injection vulnerability resides in adclick.php. Here's the vulnerable ..."
  • 01/20/2008 -- Another Wordpress Plugin Vulnerability: WP-Forum 1.7.4
    Excerpt: "Milworm.com has released another Wordpress plugin vulnerability, this time it's WP-Forum 1.7.4. I'm no expert at deciphering exactly how exploits work, but this remote sql injection appears to grant the attacker administrative privileges. If you're using ..."
  • 12/25/2009 -- New Tool: Daily [Mod] Security Reports
    Excerpt: "After the Lighttpd mod security post and the DDoS attack that followed, I began working on a script that parses the Lighttpd server-error.log and inserts matched records into MySQL. The result? Check it out here: security.nullamatix.com Daily Security ..."
  • 11/28/2009 -- New Wordpress Plugin: IP Intelligence
    Excerpt: "Description IP Intelligence the ability to retrieve information about a commentators IP address without leaving the "edit-comments.php" page. Version 0.0.1 is capable of retrieving the following information: Reverse DNS/PTR Long/Proper IPv4 ..."

Leave a Reply