Summary

A SQL Injection was discovered In the Users Ultra Wordpress Plugin (Upto version 1.4.95), in the user gallery section.

This vulnerability was patched in 1.4.96, users of users ultra should update there sites as soon as possible. The developer was notified on the 15/04/2015 and it was patched on the 16/04/2015. This can be exploited by non privileged but authenticated users. The gal_id parameter of the photos-files module was vulnerable.

Classification / Timeline

Classification:

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89
CVSS Score 6.5 Base, 5.4 Temporal
CV/E-Number Non Assigned :(
Timeline:
Vendor Notified 15-04-2015 Vendor Patch 16-04-2015 Publicly Published 18-04-2015
Last Updated 18-04-2015

Details

The gal_id allowed users to supply excess SQL commands to affect the query to the back end datababse. There were two instances of this in the PHP file xoo.userultra.photos.php, the varible $user_id could also be injectable.

File : xooclasses/xoo.userultra.photos.php
        public function get_gallery ($gal_id) - 
            $photos = $wpdb->get_results( 'SELECT *  FROM ' . $wpdb->prefix . 'usersultra_galleries WHERE `gallery_id` = ' . $gal_id . ' ' );

        public function get_gallery_public ($gal_id, $user_id)
            $photos = $wpdb->get_results( 'SELECT *  FROM ' . $wpdb->prefix . 'usersultra_galleries WHERE `gallery_id` = ' . $gal_id . '  AND  `gallery_user_id` = ' . $user_id . '  ' );