Login

Tag Archives: Cross-Site Request Forgery (CSRF)/SQL Injection

6 Aug 2019

Vulnerability Details: Authenticated SQL Injection in Popup Builder

Today Fortinet released a misleading “Zero-Day Advisory” about a vulnerability in the plugin Popup Builder. What is described is not a zero-day and the description is missing key information that would let everyone know that the issue is of limited concern (they have repeatedly failed to mention that type of information in recent reports of claimed vulnerabilities in WordPress plugins). Here is what they describe the issue as:

[Read more]

17 Jul 2019

Vulnerability Details: Cross-Site Request Forgery (CSRF)/SQL Injection in Advanced CF7 DB (Advanced Contact form 7 DB)

Yesterday we noted the recently closed plugin Advanced CF7 DB (Advanced Contact form 7 DB) had numerous security issues. It looks like one of those may have led to it being closed, as subsequent to the closure a new version with the changelog “We have fixed SQL injection related bugs at the back office query.” was submitted. It is interesting that this seems to be rather minor in comparison with some of the other issues, as it looks like by default it is only directly accessible by Administrators.

[Read more]

16 Jul 2019

Vulnerability Details: Authenticated SQL Injection in Web Librarian WP Plugin

Since we started monitoring CVE data on WordPress plugin vulnerabilities what we have seen is that the quality of the data isn’t very good. That again is true with CVE-2019-1010034, which states that versions “3.5.2 and earlier” of Web Librarian WP Plugin contain a SQL injection vulnerability. The next version of the plugin 3.5.3 was released in April of last year, which makes it seem odd that this report would be coming out now. The changelog for 3.5.3 is “Perform length check and truncation in WEBLIB_ItemInCollection::upload_csv().”, which doesn’t sound like it relates to the vulnerability mentioned and the changes made in that version look unrelated.

[Read more]

15 Jul 2019

Vulnerability Details: Cross-Site Request Forgery (CSRF)/SQL Injection in Everest Forms

One of the changelog entries for the latest version of Everest Forms is “Fix – SQL Injection (discovered by Tin Duong).” Looking at the changes made in that version we saw that in /includes/evf-entry-functions.php several SQL statements had been changed to be prepared, which fixed SQL injection vulnerabilities. It looks like those statements are only accessed from the plugin’s Entries admin page, which is normally only accessible by Administrators, who can already do the equivalent of SQL injection, but through cross-site request forgery (CSRF) this could have been exploited.

[Read more]

12 Jul 2019

Vulnerability Details: Cross-Site Request Forgery (CSRF)/SQL Injection in AdRotate

For the second day in a row a plugin has been updated to fix a SQL injection vulnerability in a less than ideal way. One of the changelog entries in the latest version of AdRotate is “[fix] Possible vulnerability for users with privileged access”. Looking at the changes made it wasn’t at first clear what way going on.

[Read more]

11 Jul 2019

Vulnerability Details: Authenticated SQL Injection in FV Player

One of the changelog entries for the latest version of FV Player is “Security – fix for SQL injection vulnerability on the wp-admin FV Player screen for users with access”. Looking at the changes made we found that an authenticated SQL injection vulnerability was fixed though the code hasn’t been properly secured and there still may be related issues.

[Read more]

3 Jul 2019

Vulnerability Details: Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) in Visitors Traffic Real Time Statistics

The changelog entry for the latest version of Visitors Traffic Real Time Statistics is “CSRF bug fixing in settings page (prevent SQL injection) – reported by Mr. Paul”. Looking at the changes made we didn’t see any change made to fix a cross-site request forgery (CSRF) vulnerability, but did see a SQL statement was changed to prepared statement, which would prevent the possibility of SQL injection. Further checking showed that there is still a CSRF vulnerability that can be used to change the plugin’s settings. We notified of the developer of that yesterday, but so far we have not heard back from them and the issue hasn’t been resolved.

[Read more]

14 May 2019

Vulnerability Details: Cross-Site Request Forgery (CSRF)/SQL Injection in Contact Form Maker (Contact Form by WD)

Recently Daniele Scanu disclosed the details of a cross-site request forgery (CSRF)/SQL injection vulnerability they had found in the plugin Form Maker. The developer of that plugin is also the developer of the plugin Contact Form Maker (Contact Form by WD) and they fixed the same vulnerability in that plugin as well.

[Read more]

8 May 2019

Vulnerability Details: Authenticated SQL Injection in WP Booking System

The changelog for the latest version of WP Booking System is “Security Improvements”. Looking at the changes made we found that refers to fixing several SQL injection vulnerabilities, though not through the most ideal method, as they were fixed with usage of the function esc_sql() instead of prepared statements. The vulnerabilities could have been exploited by logged in WordPress users and through cross-site request forgery (CSRF).

[Read more]

3 Apr 2019

Vulnerability Details: Authenticated SQL Injection in Related Posts

After the plugin Related Posts was closed on Saturday we noted it has a very serious settings change vulnerability that leads to persistent cross-scripting (XSS). Something we have been interested in with recent likely to be exploitable vulnerabilities, like that one, is having a better understanding of if these are fluke security issues in the plugins or if the security of the plugins is rather poor in general. What we have been seeing is that the plugins have fallen in the latter category, but we are also seeing is that these developers seem to be making coding mistakes and not doing testing of the functionality they are changing, which should flagged those mistakes for them.

[Read more]