header-logo
Suggest Exploit
vendor:
WP-Predict
by:
Chris Kellum
6,4
CVSS
MEDIUM
Blind SQL Injection
89
CWE
Product Name: WP-Predict
Affected Version From: 1.0
Affected Version To: 1.0
Patch Exists: N/A
Related CWE: N/A
CPE: a:pootlepress:wp-predict
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2012

WordPress WP-Predict v1.0 Blind SQL Injection

PredictId parameter in post request is vulnerable to blind SQL injection. When attempting follow-up submissions, the plugin states that you've already voted. This can easily be circumvented by using your browser's back button. Using Burp Suite or other proxy, intercept the post request when submitting your answer and append and 1=1 to the predictId parameter before forwarding: predictSelection=1&predictId=1 and 1=1&postAction=submitVote&submitVote.x=70&submitVote.y=26 In the example above, the statement evaluates to true and the vote count increases by 1. Sending a new request with "predictId=1 and 1=0" will not increase the vote count.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in SQL queries.
Source

Exploit-DB raw data:

# Exploit Title: WordPress WP-Predict v1.0 Blind SQL Injection
# Date: 7/9/12
# Exploit Author: Chris Kellum
# Vendor Homepage: http://www.pootlepress.co.uk/
# Software Link: http://downloads.wordpress.org/plugin/wp-predict.zip
# Version: 1.0



=====================
Vulnerability Details
=====================

PredictId parameter in post request is vulnerable to blind SQL injection.

===============
Testing Details
===============

When attempting follow-up submissions, the plugin states that you've already voted. This can easily be circumvented by using your browser's back button.

=================
Injection Example
=================

Using Burp Suite or other proxy, intercept the post request when submitting your answer and append and 1=1 to the predictId parameter before forwarding:

predictSelection=1&predictId=1 and 1=1&postAction=submitVote&submitVote.x=70&submitVote.y=26

In the example above, the statement evaluates to true and the vote count increases by 1.

Sending a new request with "predictId=1 and 1=0" will not increase the vote count.

Navigation

Suggest Exploit

Services By CQR