Summary
This vulnerability was patched in 1.4.96, users of users ultra should update there sites as soon as possible. The developer was notified on the 15/04/2015 and it was patched on the 16/04/2015. This can be exploited by non privileged but authenticated users. The gal_id parameter of the photos-files module was vulnerable.
Classification / Timeline
Classification:
| Type | SQLI |
| OWASP Top 10 | A1: Injection |
| CWE | CWE-89 |
| CVSS Score | 6.5 Base, 5.4 Temporal |
| CV/E-Number | Non Assigned :( |
| Vendor Notified | 15-04-2015 | Vendor Patch | 16-04-2015 | Publicly Published | 18-04-2015 |
| Last Updated | 18-04-2015 |
Details
The gal_id allowed users to supply excess SQL commands to affect the query to the back end datababse. There were two instances of this in the PHP file xoo.userultra.photos.php, the varible $user_id could also be injectable.
File : xooclasses/xoo.userultra.photos.php
public function get_gallery ($gal_id) -
$photos = $wpdb->get_results( 'SELECT * FROM ' . $wpdb->prefix . 'usersultra_galleries WHERE `gallery_id` = ' . $gal_id . ' ' );
public function get_gallery_public ($gal_id, $user_id)
$photos = $wpdb->get_results( 'SELECT * FROM ' . $wpdb->prefix . 'usersultra_galleries WHERE `gallery_id` = ' . $gal_id . ' AND `gallery_user_id` = ' . $user_id . ' ' );