Aug 28, 2017

Home » , , » Exploit: WordPress Plugin Easy Modal 2.0.17 - SQL Injection

Exploit: WordPress Plugin Easy Modal 2.0.17 - SQL Injection

  8:59 PM  , ,

WordPress Easy Modal Plugin - Multiple Security Vulnerabilities
Advisory ID: DC-2017-01-007
Advisory Title: WordPress Easy Modal Plugin Multiple
WordPress Plugin Easy Modal 2017
Easy Modal.

Vulnerabilities

  • Software: WordPress Easy Modal plugin
  • Language: PHP
  • Version: 2.0.17 and below
  • Vendor Status: Vendor contacted, update released
  • Release Date: 2017/08/07
  • Risk: Medium 

1. General Overview

During the security audit of Easy Modal plugin for WordPress CMS, multiple vulnerabilities were discovered using DefenseCode ThunderScan application source code security analysis platform.

2. Software Overview

According to the plugin developers, Easy Modal is the #1 WordPress Popup Plugin. It's advertised as "Make glorious & powerful popups and market your content like never before - all in minutes!".
According to wordpress.org, it has more than 20,000 active installs.
Homepage:
http://wordpress.org/extend/plugins/easy-modal/
https://easy-modal.com

3. Vulnerability Description

During the security analysis, ThunderScan discovered SQL injection vulnerabilities in Easy Modal WordPress plugin.

The easiest way to reproduce the vulnerability is to visit the provided URL while being logged in as administrator or another user that is authorized to access the plugin settings page. Users that do
not have full administrative privileges could abuse the database access the vulnerability provides to either escalate their privileges or obtain and modify database contents they were not supposed to be
able to.

The nonce token is required as the URL parameter. Token value is not unique for each request, nor per each URL, so if the attacker manages to obtain a valid token value, the module could be exposed to attack vectors such as Cross Site request forgery (CSRF).

3.1. SQL injection

  • Function: $wpdb->query()
  • Variables: $_GET['id'], $_GET['ids'], $_GET['modal']
  • Sample URL:
  • http://vulnerablesite.com/wp-admin/admin.php?page=easy-modal&action=dele
  • te&id%5B0%5D=4%20AND%20SLEEP(5)&easy-modal_nonce=xxx
  • File: easy-modal\classes\controller\admin\modals.php

3.2. SQL injection

  • Function: $wpdb->query()
  • Variables: $_GET['id'], $_GET['ids'], $_GET['modal']
  • Sample URL:
  • http://vulnerablesite.com/wp-admin/admin.php?easy-modal_nonce=xxx&_wp_ht
  • tp_referer=%2Fvulnerablesite.com%2Fwp-admin%2Fadmin.php%3Fpage%3Deasy-mo
  • dal%26status%3Dtrash&page=easy-modal&action=untrash&paged=1&id[]=2)%20AN
  • D%20SLEEP(10)--%20ZpVQ&action2=-1
  • File: easy-modal\classes\controller\admin\modals.php

4. Credits

by Neven Biruski. | DB

 

AdBlock Detected!

Like this blog? Keep us running by whitelisting this blog in your ad blocker.

This is how to whitelisting this blog in your ad blocker.

Thank you!

×