Wordpress Video Gallery 2.7 SQL Injection Vulnerability

vendor:

Wordpress Video Gallery

by:

Claudio Viviani

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Wordpress Video Gallery

Affected Version From: 2.7

Affected Version To: 2.7

Patch Exists: YES

Related CWE: N/A

CPE: a:apptha:wordpress_video_gallery:2.7

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows 7 / Mozilla Firefox, Linux / Mozilla Firefox

2015

WordPress Video Gallery 2.7 SQL Injection Vulnerability

Wordpress Video Gallery 2.7 suffers from a SQL injection vulnerability. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the target server. This request contains a maliciously crafted 'vid' parameter in the 'wp-admin/admin-ajax.php?action=rss&type=video' URL. This can allow an attacker to execute arbitrary SQL commands on the underlying database.

Mitigation:

The vendor has released a patch to address this vulnerability. The patch involves changing line 47 of the videogalleryrss.php file from '$vid = filter_input(INPUT_GET,'vid');' to '$vid = intval(filter_input(INPUT_GET,'vid'));'.

Source

Exploit-DB raw data:

######################

# Exploit Title : Wordpress Video Gallery 2.7 SQL Injection Vulnerability

# Exploit Author : Claudio Viviani

# Vendor Homepage : http://www.apptha.com/category/extension/Wordpress/Video-Gallery

# Software Link : https://downloads.wordpress.org/plugin/contus-video-gallery.2.7.zip

# Dork Google: inurl:/wp-admin/admin-ajax.php?action=rss
            

# Date : 2015-02-11

# Tested on : Windows 7 / Mozilla Firefox
              Linux / Mozilla Firefox         

######################

# Vulnerability Disclosure Timeline:

2015-02-08:  Discovered vulnerability
2015-02-09:  Vendor Notification
2015-02-10:  Vendor Response/Feedback 
2015-02-10:  Vendor Send Fix/Patch 
2015-02-11:  Public Disclosure 

# Description

Wordpress Video Gallery 2.7 suffers from SQL injection


######################

# PoC

http://target/wp-admin/admin-ajax.php?action=rss&type=video&vid=[SQLi]


#####################

# Fix/patch sent by apptha's developer

File: videogalleryrss.php

Change line n.47 

from:

		$vid             = filter_input(INPUT_GET,'vid');
to:

		$vid             = intval(filter_input(INPUT_GET,'vid'));

#####################

Discovered By : Claudio Viviani
        	http://www.homelab.it
        	info@homelab.it
        	homelabit@protonmail.ch

        	https://www.facebook.com/homelabit
        	https://twitter.com/homelabit
        	https://plus.google.com/+HomelabIt1/
		https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww

#####################