oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

SQL injection in wordpress plugin double-opt-in-for-download v2.0.8

From: "Larry W. Cashdollar" <larry0 () me com>
Date: Sat, 28 Nov 2015 13:05:57 -0500
Title: SQL injection in wordpress plugin double-opt-in-for-download v2.0.8
Author: Larry W. Cashdollar, @_larry0
Date: 2015-11-24
Download Site: https://wordpress.org/plugins/double-opt-in-for-download/
Vendor: https://profiles.wordpress.org/andyba45/ http://www.labwebdesigns.com 
Vendor Notified: 2015-11-24
Vendor Fixed: 2015-11-24 in v2.0.9
Description: Capture visitors names and email addresses by offering FREE
downloads to your visitors in exchange for their email address with our
Double Opt-In Plug
Vulnerability:
The file double-opt-in-for-download/public/includes/class-doifd-download.php the lines 61 & 110: 

38                 $ver = $_GET[ 'ver' ];
.
.
61 $checkallowed = $wpdb->get_row ( "SELECT doifd_downloads _allowed FROM " . $wpdb->prefix . "doifd_lab_subscribers WHERE doifd_verifi cation_number = '$ver' " ); 
.
.
110                             $wpdb->query (
111                                     "
112                         UPDATE $wpdb->doifd_subscribers
113 SET doifd_downloads_allowed = doifd_downloads_allowe d+1 WHERE doifd_verification_number = '$ver' 
114                     "
115                             );
Allows Blind SQL injection at the $ver parameter as it is not properly sanitized or passed through a prepare() function first.
In file double-opt-in-for-download/public/includes/class-doifd-landing-page.php line 71 allows for SQL injection via the $ver parameter. 

 26     public function getVerification() {
 27         $this->verification = $_GET[ 'ver' ];
 28         return $this->verification;
 29     }
.
.

 71         $sql = "SELECT *
 72                 FROM {$wpdb->prefix}doifd_lab_subscribers
 73                 INNER JOIN {$wpdb->prefix}doifd_lab_downloads
74 ON {$wpdb->prefix}doifd_lab_downloads.doifd_download_id = {$ wpdb->prefix}doifd_lab_subscribers.doifd_download_id 75 WHERE doifd_verification_number = '$this->verification'"; 
 76
 77         $this->data = $wpdb->get_row( $sql, ARRAY_A );
CVEID: 2015-7517
Advisory: http://www.vapidlabs.com/advisory.php?v=157
Previous By Date Next
Previous By Thread Next

Current thread: