This vulnerability was patched in 1.4.96, users of users ultra should update there sites as soon as possible. The developer was notified on the 15/04/2015 and it was patched on the 16/04/2015. This can be exploited by non privileged but authenticated users. The gal_id parameter of the photos-files module was vulnerable.
|OWASP Top 10||A1: Injection|
|CVSS Score||6.5 Base, 5.4 Temporal|
|CV/E-Number||Non Assigned :(|
|Vendor Notified||15-04-2015||Vendor Patch||16-04-2015||Publicly Published||18-04-2015|
The gal_id allowed users to supply excess SQL commands to affect the query to the back end datababse. There were two instances of this in the PHP file xoo.userultra.photos.php, the varible $user_id could also be injectable.
File : xooclasses/xoo.userultra.photos.php public function get_gallery ($gal_id) - $photos = $wpdb->get_results( 'SELECT * FROM ' . $wpdb->prefix . 'usersultra_galleries WHERE `gallery_id` = ' . $gal_id . ' ' ); public function get_gallery_public ($gal_id, $user_id) $photos = $wpdb->get_results( 'SELECT * FROM ' . $wpdb->prefix . 'usersultra_galleries WHERE `gallery_id` = ' . $gal_id . ' AND `gallery_user_id` = ' . $user_id . ' ' );