Summary
A SQL Injection was discovered In the Users Ultra Wordpress Plugin (Upto version 1.4.95), in the user gallery section.
This vulnerability was patched in 1.4.96, users of users ultra should update there sites as soon as possible. The developer was notified on the 15/04/2015 and it was patched on the 16/04/2015. This can be exploited by non privileged but authenticated users. The gal_id parameter of the photos-files module was vulnerable.
Classification / Timeline
Classification:
| Type | SQLI |
| OWASP Top 10 | A1: Injection |
| CWE | CWE-89 |
| CVSS Score | 6.5 Base, 5.4 Temporal |
| CV/E-Number | Non Assigned :( |
| Vendor Notified | 15-04-2015 | Vendor Patch | 16-04-2015 | Publicly Published | 18-04-2015 |
| Last Updated | 18-04-2015 |
Details
The gal_id allowed users to supply excess SQL commands to affect the query to the back end datababse. There were two instances of this in the PHP file xoo.userultra.photos.php, the varible $user_id could also be injectable.
File : xooclasses/xoo.userultra.photos.php
public function get_gallery ($gal_id) -
$photos = $wpdb->get_results( 'SELECT * FROM ' . $wpdb->prefix . 'usersultra_galleries WHERE `gallery_id` = ' . $gal_id . ' ' );
public function get_gallery_public ($gal_id, $user_id)
$photos = $wpdb->get_results( 'SELECT * FROM ' . $wpdb->prefix . 'usersultra_galleries WHERE `gallery_id` = ' . $gal_id . ' AND `gallery_user_id` = ' . $user_id . ' ' );