Summary

This vulnerability was patched in 1.4.96, users of users ultra should update there sites as soon as possible. The developer was notified on the 15/04/2015 and it was patched on the 16/04/2015. This can be exploited by non privileged but authenticated users. The gal_id parameter of the photos-files module was vulnerable.

Classification / Timeline

Classification:

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89
CVSS Score 6.5 Base, 5.4 Temporal
CV/E-Number Non Assigned :(
Timeline:
Vendor Notified 15-04-2015 Vendor Patch 16-04-2015 Publicly Published 18-04-2015
Last Updated 18-04-2015

Details

The gal_id allowed users to supply excess SQL commands to affect the query to the back end datababse. There were two instances of this in the PHP file xoo.userultra.photos.php, the varible $user_id could also be injectable.

File : xooclasses/xoo.userultra.photos.php
        public function get_gallery ($gal_id) - 
            $photos = $wpdb->get_results( 'SELECT *  FROM ' . $wpdb->prefix . 'usersultra_galleries WHERE `gallery_id` = ' . $gal_id . ' ' );

        public function get_gallery_public ($gal_id, $user_id)
            $photos = $wpdb->get_results( 'SELECT *  FROM ' . $wpdb->prefix . 'usersultra_galleries WHERE `gallery_id` = ' . $gal_id . '  AND  `gallery_user_id` = ' . $user_id . '  ' );