WordPress Easy Modal Plugin - Multiple Security VulnerabilitiesAdvisory ID: DC-2017-01-007Advisory Title: WordPress Easy Modal Plugin Multiple
Easy Modal. |
Vulnerabilities
- Software: WordPress Easy Modal plugin
- Language: PHP
- Version: 2.0.17 and below
- Vendor Status: Vendor contacted, update released
- Release Date: 2017/08/07
- Risk: Medium
1. General Overview
During the security audit of Easy Modal plugin for WordPress CMS, multiple vulnerabilities were discovered using DefenseCode ThunderScan application source code security analysis platform.2. Software Overview
According to the plugin developers, Easy Modal is the #1 WordPress Popup Plugin. It's advertised as "Make glorious & powerful popups and market your content like never before - all in minutes!".According to wordpress.org, it has more than 20,000 active installs.
Homepage:
http://wordpress.org/extend/plugins/easy-modal/
https://easy-modal.com
3. Vulnerability Description
During the security analysis, ThunderScan discovered SQL injection vulnerabilities in Easy Modal WordPress plugin.The easiest way to reproduce the vulnerability is to visit the provided URL while being logged in as administrator or another user that is authorized to access the plugin settings page. Users that do
not have full administrative privileges could abuse the database access the vulnerability provides to either escalate their privileges or obtain and modify database contents they were not supposed to be
able to.
The nonce token is required as the URL parameter. Token value is not unique for each request, nor per each URL, so if the attacker manages to obtain a valid token value, the module could be exposed to attack vectors such as Cross Site request forgery (CSRF).
3.1. SQL injection
- Function: $wpdb->query()
- Variables: $_GET['id'], $_GET['ids'], $_GET['modal']
- Sample URL:
- http://vulnerablesite.com/wp-admin/admin.php?page=easy-modal&action=dele
- te&id%5B0%5D=4%20AND%20SLEEP(5)&easy-modal_nonce=xxx
- File: easy-modal\classes\controller\admin\modals.php
3.2. SQL injection
- Function: $wpdb->query()
- Variables: $_GET['id'], $_GET['ids'], $_GET['modal']
- Sample URL:
- http://vulnerablesite.com/wp-admin/admin.php?easy-modal_nonce=xxx&_wp_ht
- tp_referer=%2Fvulnerablesite.com%2Fwp-admin%2Fadmin.php%3Fpage%3Deasy-mo
- dal%26status%3Dtrash&page=easy-modal&action=untrash&paged=1&id[]=2)%20AN
- D%20SLEEP(10)--%20ZpVQ&action2=-1
- File: easy-modal\classes\controller\admin\modals.php